Replacing the NetProfiler web certificate from the command-line

Categories:
NetProfiler (Cascade Profiler), NetExpress (Profiler Express), Flow Gateway (Cascade Gateway), NetProfiler (Enterprise Cluster)
Solution Number:
S34909
Last Modified:
2021-04-06
Issue

The NetProfiler web certificate may be replaced from the web interface at Administration > Appliance Security > Encryption Key Management.

 

 

However, it may be necessary to replace the certificate from command-line for automation purposes, or if a misconfigured certificate has been uploaded and it is now denying web access.

Solution

These procedures apply to NetProfiler, NetExpress, and Flow Gateway. Note that in NetProfiler 4270 or 4280, the procedure is only performed on the Base or UI appliance. The other NetProfiler appliances in the cluster do not run a webserver.

 

Replace certificate with a new self-signed certificate

To replace the current certificate with a new self-signed certificate and private key, connect to the appliance via SSH using the 'mazu' account. Issue the command:

[mazu@netprofiler ~]$ sudo mazu-cert generate apache

When successful, no output is given.

 

Replace certificate with a CA-signed certificate

An uploaded file must contain both a public certificate and private key.

  • The entire certificate chain (intermediate and root certificates) is not required. Validation of the chain is done in the user's browser. Only the server certificate is required.
  • The format must be an X.509 Base64-encoded PEM file.
  • The private key must not be encrypted with a password.

The headers within the file appear as follows, where the order is not important:

-----BEGIN CERTIFICATE-----
xxxx
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
xxxx
-----END PRIVATE KEY-----

To load the certificate from the command-line:

  1. Use WinSCP or SCP with the 'mazu' account to upload the file containing the CA-signed certificate and private key to the directory /home/mazu.

  2. Connect to the appliance with the 'mazu' account over SSH. The following command will replace the apache certificate and private key with those in the uploaded file:

    [mazu@netprofiler ~]$ sudo mazu-cert replace apache /home/mazu/<filename>

    When successful, no output is given.

 

Confirm contents of loaded certificate

The active certificate and private key are found in the location /opt/cascade/vault/apache/. To view the full, decoded contents of the certificate from command-line, use the following command:

[mazu@netprofiler ~]$ sudo openssl x509 -in /opt/cascade/vault/apache/server.crt -noout -text

The output may be filtered as follows to view only the validity dates:

[mazu@netprofiler ~]$ sudo openssl x509 -in /opt/cascade/vault/apache/server.crt -noout -text | grep -A 2 Validity
        Validity
            Not Before: Apr 28 18:02:29 2019 GMT
            Not After : Apr 27 18:02:29 2021 GMT

Attachments
NOTICE: Riverbed® product names have changed. Please refer to the Product List for a complete list of product names.
Can't find an answer? Create a case