These procedures apply to NetProfiler, NetExpress, and Flow Gateway. Note that in NetProfiler 4270 or 4280, the procedure is only performed on the Base or UI appliance. The other NetProfiler appliances in the cluster do not run a webserver.
Replace certificate with a new self-signed certificate
To replace the current certificate with a new self-signed certificate and private key, connect to the appliance via SSH using the 'mazu' account. Issue the command:
[mazu@netprofiler ~]$ sudo mazu-cert generate apache
When successful, no output is given.
Replace certificate with a CA-signed certificate
An uploaded file must contain both a public certificate and private key.
- The entire certificate chain (intermediate and root certificates) is not required. Validation of the chain is done in the user's browser. Only the server certificate is required.
- The format must be an X.509 Base64-encoded PEM file.
- The private key must not be encrypted with a password.
The headers within the file appear as follows, where the order is not important:
-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
xxxx
-----END PRIVATE KEY-----
To load the certificate from the command-line:
-
Use WinSCP or SCP with the 'mazu' account to upload the file containing the CA-signed certificate and private key to the directory /home/mazu.
-
Connect to the appliance with the 'mazu' account over SSH. The following command will replace the apache certificate and private key with those in the uploaded file:
[mazu@netprofiler ~]$ sudo mazu-cert replace apache /home/mazu/<filename>
When successful, no output is given.
Confirm contents of loaded certificate
The active certificate and private key are found in the location /opt/cascade/vault/apache/. To view the full, decoded contents of the certificate from command-line, use the following command:
[mazu@netprofiler ~]$ sudo openssl x509 -in /opt/cascade/vault/apache/server.crt -noout -text
The output may be filtered as follows to view only the validity dates:
[mazu@netprofiler ~]$ sudo openssl x509 -in /opt/cascade/vault/apache/server.crt -noout -text | grep -A 2 Validity
Validity
Not Before: Apr 28 18:02:29 2019 GMT
Not After : Apr 27 18:02:29 2021 GMT