Importing and Reverting a Signed Certificate

Overview

This procedure describes how to import a CA-signed certificate into TOS, and if needed, revert to a self-signed certificate.

Prerequisites

General prerequisites

• The signed certificate must:

  • Be RSA compatible

  • In .PEM format; other formats are not supported

• Verify the certificate pair.

  openssl rsa -noout -modulus -in server.key | openssl md5

openssl x509 -noout -modulus -in site-certificate.crt | openssl md5

The hash for both files should match.

• Verify the certificate has a valid SAN.

  openssl x509 -noout -ext subjectAltName -in site-certificate.crt

For example:

[root@OS4 certest]# openssl x509 -noout -ext subjectAltName -in web.server.crt
                X509v3 Subject Alternative Name: DNS:tufin.com, DNS:www.tufin.com, IP Address:192.168.1.81

• Verify the certificate expiration date.

openssl x509 -enddate -noout -in site-certificate.crt

The certificate date must be in the future.

Import the Certificate

Import your own certificates to authenticate and encrypt communications with your TOS server.

We recommend that you save a copy of the certificate in case you need to re-import the certificate in the future. For example, if an attempt to update to a newer certificate fails you may need to re-import the current certificate.

1. If your organization uses an intermediate CA, first create the certificate bundle:

   1. If the private key has a passphrase, remove it now.

      • Run:

      openssl rsa -in [original.key] -out [new.key]

      openssl rsa -in [original.key] -out [new.key]

      • When prompted, enter the passphrase for the original key.

      The output file [new. key] is now unencrypted.

   2. Create a certificate bundle (bundle.crt) from a signed server certificate (certificate.cer) and an intermediate CA certificate (intermediate.cer) using the following command:

      cat certificate.cer  <(echo) intermediate.cer  <(echo) > bundle.crt

      cat certificate.cer <(echo) intermediate.cer <(echo) > bundle.crt

2. Stop all TOS services - this may take time to complete. Users will not be able to access TOS until restarted.

   [<ADMIN> ~]$ sudo tos stop

   sudo tos stop

3. Import the certificate.

   [<ADMIN> ~]$ sudo tos certificate import --type="server" --cert=<CERT-PATH> --key=<KEY-PATH>

   sudo tos certificate import --type="server" --cert=<CERT-PATH> --key=<KEY-PATH>

   Where,

   • <CERT-PATH> is the full path to the certificate bundle (certificate chain) with the required certificates.
   • <KEY-PATH> is the full path to your private key.

   Example

   $ sudo tos certificate import --type="server" --cert=/tmp/certfile.pem --key=/tmp/keyfile.key

4. Restart TOS.

   [<ADMIN> ~]$ sudo tos run

   sudo tos run

Revert a Certificate to Self-Signed

If you need to revert to a CA-signed Certificate, follow the steps below.

1. Stop all TOS services - this may take time to complete. Users will not be able to access TOS until restarted.

   [<ADMIN> ~]$ sudo tos stop

   sudo tos stop

2. Revert the certificate.

   [<ADMIN> ~]$ sudo tos certificate renew --type="server" [--help] [--debug]

   sudo tos certificate renew --type="server"

3. Restart TOS.

   [<ADMIN> ~]$ sudo tos run

   sudo tos run