On This Page
Importing and Reverting a Signed Certificate
Overview
This page explains how to importing a CA signed certificate into TOS, and how to revert such a certificate to self-signed if necessary. You may need these certificates to verify the security of the TOS web server.
Prerequisites
-
The certificate needs to be obtained independently
-
The certificate format must be RSA compatible
-
The certificate needs to be a *.pem file. Other formats are not supported.
What Can I do Here?
Import the Certificate
Import your own certificates to authenticate and encrypt communications with your TOS server.
We recommend that you save a copy of the certificate in case you need to re-import the certificate in the future. For example, if an attempt to update to a newer certificate fails you may need to re-import the current certificate.
-
If your organization uses an intermediate CA, first create the certificate bundle:
-
If the private key has a passphrase, remove it now.
-
Run:
-
When prompted, enter the passphrase for the original key.
The output file [new. key] is now unencrypted.
-
-
Create a certificate bundle (bundle.crt) from a signed server certificate (certificate.cer) and an intermediate CA certificate (intermediate.cer) using the following command:
-
-
Stop all TOS services - this may take time to complete. Users will not be able to access TOS until restarted.
-
Import the certificate.
[<ADMIN> ~]$ sudo tos certificate import --type=<"server"> --cert=<CERT-PATH> --key=<KEY-PATH>
sudo tos certificate import --type=<"server"> --cert=<CERT-PATH> --key=<KEY-PATH>Example
$ sudo tos certificate import --type="server" --cert=/tmp/certfile.pem --key=/tmp/keyfile.key
-
Restart TOS.
Revert a Certificate to Self-Signed
If you need to revert to a CA-signed Certificate, follow the steps below.
-
Stop all TOS services - this may take time to complete. Users will not be able to access TOS until restarted.
-
Revert the certificate.
[<ADMIN> ~]$ sudo tos certificate renew --type=<"server"> [--help] [--debug]
sudo tos certificate renew --type=<"server">where
--type="server"
— renew the self-signed server certificate used for the TOS Aurora web server
-
Restart TOS.