HowTo Regenerate The TLS (SSL) Certificate For The NST WUI

From NST Wiki
Jump to navigationJump to search

Overview

This page demonstrates how to regenerate the TLS (Deprecated predecessor: SSL) self-signing certificate for the NST WUI.

nstcert

The process of generating an TLS key and certificate files and then making use of them in a Apache® configuration file can be a time consuming process. The "nstcert" script attempts to automate part of the process by generating template files for use within the Apache® httpd daemon. The script also generates a PEM (Privacy-enhanced Electronic Mail) file.

Generate a new TLS Certificate for the NST WUI

If one needs to generate a new self-signing TLS certificate for NST WUI usage, the following help script: "/usr/libexec/nstwui-ssl-gencerts" may be utilized. It uses the nstcert script described above in combination with the configuration file: "/etc/nst/wui/nstcert.conf". Edit this file to suit your needs.

sudo /usr/libexec/nstwui-ssl-gencerts -r;

The "-r" option is necessary to remove the previous TLS certificate.

It is also a best practice to restart the NST WUI web service after generating new keys.

sudo systemctl restart nstwui.service;

Stricter Trusted Certificate Security Requirements

Note: One may need to generate a new TLS certificate for the NST WUI do to stricter trusted security requirements (E.g., Requirements for trusted certificates). In particular:
  • The validity period of the new certificate has been reduced to 730 days (2 years).
  • The Extended Key Usage (extendedKeyUsage) containing the serverAuth OID has been added as required to the extension area of the certificate.

Without these changes, newer versions of the Google Chrome browser running on Mac OS (macOS) Catalina may not allow you to connect to the NST web interface.