Importing and Reverting a Signed Certificate

Overview

This procedure describes how to import a CA-signed certificate into TOS, and if needed, revert to a self-signed certificate.

Prerequisites

Signed Certificate Format

The signed certificate must:

  • Be RSA compatible

  • In .PEM format; other formats are not supported

Signed Certificate Bundle and Order

The certificate bundle refers to the certificate chain file, and must include the following certificates:

  • <your_domain>.crt

  • intermediate.crt

  • root.crt, only when using an internal or a private self-signed certificate

Each certificate in the bundle must be preceded by the -----BEGIN CERTIFICATE----- header and ended by the -----END CERTIFICATE----- footer.

Certificate creation

Here's an example of the command to create the certificate bundle:

cat your_domain.crt intermediate.crt root.crt > fullchain.pem

Certificate order in bundle

The order of the certificates in the chain file is important for clients to fully verify the server certificate. The chain file must start with the server certificate, followed by the intermediate CA certificates, and end with the root CA certificate.

-----BEGIN CERTIFICATE-----
(Domain  Server Certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate-1)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate-2)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root)
-----END CERTIFICATE-----

 

Import CA-Signed Server Certificate

Import a CA-signed server certificate into TOS to authenticate and encrypt communications with your TOS server. Make sure you import the entire certificate chain as a bundle including the root, an intermediate certificate, and the server certificate.

We recommend saving a copy of the signed certificate in case you need to re-import it in the future. For example, if an attempt to update to a newer signed certificate fails you may need to re-import the current signed certificate.

  1. If your organization uses an intermediate CA, first create the certificate bundle:

    1. If the private key has a passphrase, remove it now.

      • Run: 

        • openssl rsa -in [original.key] -out [new.key]
        openssl rsa -in [original.key] -out [new.key]

      • When prompted, enter the passphrase for the original key.

        • The output file [new. key] is now unencrypted.

    2. Create a certificate bundle (bundle.crt) from a signed server certificate (certificate.cer) and an intermediate CA certificate (intermediate.cer):

      cat certificate.cer  <(echo) intermediate.cer > bundle.crt
      cat certificate.cer <(echo) intermediate.cer > bundle.crt

  2. Stop all TOS services:

    [<ADMIN> ~]$ sudo tos stop
    sudo tos stop

  3. Import the signed server certificate:

    [<ADMIN> ~]$ sudo tos certificate import --type=<"server"> --cert=<CERT-PATH> --key=<KEY-PATH>
    sudo tos certificate import --type=<"server"> --cert=<CERT-PATH> --key=<KEY-PATH>

    where:

    • <"server"> is the CA-signed server certificate used for the TOS web server.
    • <CERT-PATH> is the full path to the certificate bundle (certificate chain) with the required certificates.
    • <KEY-PATH> is the full path to your private key.

    Example

    $ sudo tos certificate import --type="server" --cert=/tmp/certfile.pem --key=/tmp/keyfile.key

  4. Restart TOS:

    [<ADMIN> ~]$ sudo tos run
    sudo tos run

Revert CA-Signed Certificate to Self-Signed

Revert a CA-signed server certificate to a self-signed one if needed.

  1. Stop all TOS services:

    [<ADMIN> ~]$ sudo tos stop
    sudo tos stop

  2. Revert the certificate:

    [<ADMIN> ~]$ sudo tos certificate renew --type=<"server"> [--help] [--debug]
    sudo tos certificate renew --type=<"server">

    3. where:

    • <"server"> is the reverted self-signed certificate to use for the TOS web server.

  3. Restart TOS:

    [<ADMIN> ~]$ sudo tos run
    sudo tos run