Importing and Reverting a Signed Certificate

This topic explains how to importing a CA signed certificate into TOS, and how to revert such a certificate to self-signed if necessary. You may need these certificates to verify the security of the TOS web server.

Prerequisites

  • The certificate needs to be obtained independently

  • The certificate format must be RSA compatible

  • The certificate needs to be a *.pem file. Other formats are not supported.

Import the Certificate

Import your own certificates to authenticate and encrypt communications with your TOS server.

We recommend that you save a copy of the certificate in case you need to re-import the certificate in the future. For example, if an attempt to update to a newer certificate fails you may need to re-import the current certificate.

  1. If your organization uses an intermediate CA, first create the certificate bundle:

    1. If the private key has a passphrase, remove it now.

      • Run:

      • openssl rsa -in [original.key] -out [new.key]
        openssl rsa -in [original.key] -out [new.key]
      • When prompted, enter the passphrase for the original key.

      • The output file [new. key] is now unencrypted.

    2. Create a certificate bundle (bundle.crt) from a signed server certificate (certificate.cer) and an intermediate CA certificate (intermediate.cer) using the following command:

      cat certificate.cer  <(echo) intermediate.cer  <(echo) > bundle.crt
      cat certificate.cer <(echo) intermediate.cer <(echo) > bundle.crt
  2. Stop all TOS services - this may take time to complete. Users will not be able to access TOS until restarted.

    [<ADMIN> ~]$ sudo tos stop
    sudo tos stop
  3. Import the certificate.

    [<ADMIN> ~]$ sudo tos certificate import --type=<"server"> --cert=<CERT-PATH> --key=<KEY-PATH>
    sudo tos certificate import --type=<"server"> --cert=<CERT-PATH> --key=<KEY-PATH>

    Example

    $ sudo tos certificate import --type="server" --cert=/tmp/certfile.pem --key=/tmp/keyfile.key

  4. Restart TOS.

    [<ADMIN> ~]$ sudo tos run

    where,

    • --type="server" — import a self-signed server certificate that will be used for the TOS Aurora web server
    • <CERT-PATH> — location of the certificate
    • <KEY-PATH> — location of the key
    sudo tos run

Revert a Certificate to Self-Signed

If you need to revert to a CA-signed Certificate, follow the steps below.

  1. Stop all TOS services - this may take time to complete. Users will not be able to access TOS until restarted.

    [<ADMIN> ~]$ sudo tos stop
    sudo tos stop
  2. Revert the certificate.

    [<ADMIN> ~]$ sudo tos certificate renew --type=<"server"> [--help] [--debug]
    sudo tos certificate renew --type=<"server">

    where

    • --type="server" — renew the self-signed server certificate used for the TOS Aurora web server
  3. Restart TOS.

    [<ADMIN> ~]$ sudo tos run
    sudo tos run