Skip to main content
Skip table of contents

Domain certificate update - server.pem

Overview

This article describe the procedure how to replace server.pem certificate that is used by haproxy service.

Step 1 - Generate a signed certificate from client internal CA

Generate a signed certificate and save it as a PKCS12 file , according to client internal procedures.

This PKCS12 file should contain: a private key, the certificate and the complete chain.

Step 2 - Extract the server.pem from certificate

Copy the PCKS12 file to all webapp servers and run the following command to extract the certificate.

CODE
bash /etc/veridiumid/scripts/convert_haproxy_cert.sh PKCS_FILE

## if this command fails, it might be an issue that the certificate has unsecure cyphers - it usualy happens for openssl version 3 (on RHEL8 aor RHEL9)
## use below commands to generate the server.pem
openssl pkcs12 -in keystore_vid.p12 -legacy -nodes -nocerts -out privateKey_enc.pem -passin pass:[KEYSTORE_PASSWORD]
openssl rsa -in privateKey_enc.pem -out /privateKeyFull.pem -passin pass: [KEYSTORE_PASSWORD]
openssl pkcs12 -in keystore_vid.p12 -legacy -nokeys -out publicCertFull.pem -passin pass:[KEYSTORE_PASSWORD]
cat privateKey_enc.pem > server.pem
cat publicCertFull.pem >> server.pem

Step 3 - Update Truststore, using the VeridiumID Admin Dashboard

  1. Access VeridiumID Admin Console → Settings → Certificates → Truststores.

  2. Select Add Truststore & use the Certificate Content method in order to upload the certificate using the same procedure used in the previous steps.

Step 4 - Copy server.pem to different services

This step needs to be performed on all Webapp nodes

CODE
## it is mandatory to change for haproxy
cp conversion_result/server.pem /etc/veridiumid/haproxy/server.pem; chown ver_haproxy:veridiumid /etc/veridiumid/haproxy/server.pem
service ver_haproxy restart

## optional: change for freeradius, only if you are using TCP/SSL protocal; if UDP is used, this step can be skipped
cp conversion_result/server.pem /opt/veridiumid/freeradius/etc/raddb/certs/server.pem
cp conversion_result/server.pem /opt/veridiumid/freeradius/etc/raddb/certs/client.pem
chown ver_freeradius:veridiumid /opt/veridiumid/freeradius/etc/raddb/certs/server.pem
chown ver_freeradius:veridiumid /opt/veridiumid/freeradius/etc/raddb/certs/client.pem

service ver_freeradius restart

## optional: change for websecadmin, if port 9443 is used to access websecadmin from external services
cp /opt/veridiumid/websecadmin/certs/ca_root.pkcs12 /opt/veridiumid/websecadmin/certs/ca_root.pkcs12.old   
take the password: grep server.ssl.key-store-password /opt/veridiumid/websecadmin/conf/websecadmin.properties
openssl pkcs12 -export -in /opt/veridiumid/haproxy/conf/server.pem -inkey /opt/veridiumid/haproxy/conf/server.pem -name 'tomcat' -out /opt/veridiumid/websecadmin/certs/keystore.p12
cp /opt/veridiumid/websecadmin/certs/keystore.p12 /opt/veridiumid/websecadmin/certs/ca_root.pkcs12

service ver_websecadmin restart

Step 5 (Optional) - Removing the the previous domain certificate from Truststores

This step is applicable when changing from self-signed certificate with another having a different chain.

  1. Navigate to VeridiumID Admin Console → Settings → Certificates → Truststores.

  2. Remove the entry for the self-signed certificate from the interface.

  3. Restart the websecadmin service from all the Webapp nodes (command: service ver_websecadmin restart)

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.