How to Replace the Security Server Internal TLS Key and Certificate?¶
By default, the Security Server internal TLS key and certificate are automatically generated during the Security Server installation process. The internal TLS key and certificate can be manually recreated using the Security Server UI. However, importing an existing key and certificate is not possible through the Security Server UI. Instead, importing requires shell access to the Security Server.
Step-by-step guide¶
An existing key and certificate can be imported by following the steps described below.
-
Take backup copies of the files listed below:
-
Replace
internal.keyandinternal.crtwith the files you want to import. -
Create a PKCS#12 container that includes the new key and certificate:
-
Restart the
xroad-proxyandxroad-proxy-ui-apiservices: -
Print the checksum of the certificate to the console:
-
Check from the Security Server UI that Keys and Certificates → Security Server TLS Key view shows the same checksum.
-
Check that the
/var/log/xroad/proxy.logand/var/log/xroad/proxy_ui_api.loglog files do not contain any internal TLS key/certificate related errors. -
In case something goes wrong, restore the original files, and restart the
xroad-proxyandxroad-proxy-ui-apiservices.