Generally the web UI is an easy and convenient way to generate a CSR and upload the resulting certificate for use by web UI and API services. This can be found in the user manual under "HTTPS certificate"
If you wish to upload an alternative self-signed certificate, or otherwise reinstall a previously issued certificate, follow the steps below.
Note: Take care when handling unencrypted private key data. To maintain system security, your key must be stored securely (e.g. password protected, encrypted) and transmitted securely (e.g. over SSH or HTTPS).
- Login to the CLI as root, or login as admin user and become root with:
sudo -i
- Run this command:
cert=$(base64 -w 0 /tmp/cert.pem)
- If you have a certificate chain, concatenate the files together in this order, then run the above command, referencing the combine cert file. Make sure no spaces between certificate.
public certificate
intermediate certificate
root certificate
- Run this command, make sure the key is not encrypted/password protected:
key=$(base64 -w 0 /tmp/key.pem)
- Apply them by running this command:
echo -e "set services.https.certificate =$cert\nset services.https.private_key =$key\npush" | /usr/unsupported/bin/ogconfig-cli
- If successful, you will see a message similar to:
root-1-services_https_certificate: Blob (7559 bytes) root-1-services_https_private_key: Blob (1704 bytes) OK
- Refresh the web UI and check the certificate
Optional: You can view the currently installed certificate and private key with:
ogcli get services/https
How to generate self signed certificate?
If the certificate "Commit failed" and Web UI is inaccessible. Please run the commands below to generate self signed certificate that is valid for 1 year.
/etc/scripts/initialboot/initialboot-post-config-overlay.71.mk_ssl_certs
If the above command did not restart web UI, then run command below.
systemctl restart nginx
How to generate custom self signed certificate?
The steps above creates a certificate with generic Common Name, Organization and 1 year expiry. To customize any of these follow the steps below.
Generate private key
openssl genrsa -out ~/ssl_key.pem 2048
Generate the certificate. Fill out the basic details Eg Country code, State. The -days parameter sets the certificate expiry.
openssl req -new -x509 -key ~/ssl_key.pem -sha256 -out ~/ssl_cert.pem -days 3650 -config /etc/ssl/openssl.cnf
The following commands will upload the certificate and restart the web server. This method requires at firmware 21.Q3.0 or newer.
cert=$(base64 -w0 ~/ssl_cert.pem)
key=$(base64 -w0 ~/ssl_key.pem)
echo -e "set services.https.certificate =$cert\nset services.https.private_key =$key\npush" | /usr/unsupported/bin/ogconfig-cli
If successful, you will see a message similar to:
root-1-services_https_certificate: Blob (7559 bytes)
root-1-services_https_private_key: Blob (1704 bytes)
OK
f the above command did not restart web UI, then run command below.
systemctl restart nginx
Comments
0 comments
Article is closed for comments.