HowTo Regenerate The TLS (SSL) Certificate For The NST WUI

From NST Wiki
Jump to navigationJump to search

Overview

This page demonstrates how to regenerate the TLS (Deprecated predecessor: SSL) self-signing certificate for the NST WUI.

nstcert

The process of generating an TLS key and certificate files and then making use of them in a Apache® configuration file can be a time consuming process. The "nstcert" script attempts to automate part of the process by generating template files for use within the Apache® httpd daemon. The script also generates a PEM (Privacy-enhanced Electronic Mail) file.

Generate a new TLS Certificate for the NST WUI

If one needs to generate a new self-signing TLS certificate for NST WUI usage, the following help script: "/usr/libexec/nstwui-ssl-gencerts" may be utilized. It uses the nstcert script described above in combination with the configuration file: "/etc/nst/wui/nstcert.conf". Edit this file to suit your needs.

sudo /usr/libexec/nstwui-ssl-gencerts -r;

The "-r" option is necessary to remove the previous TLS certificate.

It is also a best practice to restart the NST WUI web service after generating new keys.

sudo systemctl restart nstwui.service;

Stricter Trusted Certificate Security Requirements

Note: One may need to generate a new TLS certificate for the NST WUI do to stricter trusted security requirements (E.g., Requirements for trusted certificates). In particular:
  • The validity period of the new certificate has been reduced to 730 days (2 years).
  • The Extended Key Usage (extendedKeyUsage) containing the serverAuth OID has been added as required to the extension area of the certificate.

Without these changes, newer versions of the Google Chrome browser running on Mac OS (macOS) Catalina may not allow you to connect to the NST web interface.

Use openssl To Show Certificate

Below is an example on how to examine the NST WUI Certificate using the "openssl" utility:

[root@shopper2 nst]# openssl x509 -in /etc/nst/httpd/conf/ssl.crt/server.crt -text -noout
Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number:
           11:86:1a:67:23:37:23:e3:64:46:0b:75:93:82:b5:bc:6c:f5:b9:50
       Signature Algorithm: sha256WithRSAEncryption
       Issuer: C = US, ST = New York, L = Albany, O = Web User Interfaces, CN = shopper2.rwh.shop, OU = NST
       Validity
           Not Before: Nov 21 16:00:07 2019 GMT
           Not After : Nov 20 16:00:07 2021 GMT
       Subject: C = US, ST = New York, L = Albany, O = Web User Interfaces, CN = shopper2.rwh.shop, OU = NST
       Subject Public Key Info:
           Public Key Algorithm: rsaEncryption
               RSA Public-Key: (2048 bit)
               Modulus:
                   00:ba:ba:95:75:7c:73:29:2a:06:d1:82:9c:88:d9:
                   c3:b8:fd:62:4d:9e:d5:61:ce:3b:be:67:58:30:d9:
                   90:4b:08:08:ce:34:86:7e:8e:c4:e6:c8:34:38:6c:
                   b7:af:99:8b:87:61:9f:a0:13:21:4d:f8:d5:e4:6a:
                   69:13:a2:e1:b6:cc:8a:26:a4:93:3a:ec:16:28:d2:
                   fb:1e:65:79:90:9f:bd:b7:81:63:65:47:ff:5d:1c:
                   cf:64:51:f1:f8:00:bb:8b:0d:3e:94:b1:fe:fb:a4:
                   10:0a:a0:ec:0a:e5:22:2d:11:7a:ba:a6:2b:bd:b6:
                   46:6f:9c:b1:a9:0c:be:dc:7e:ec:5f:17:3d:1c:40:
                   9d:2e:8c:96:ce:4a:0d:8f:54:29:05:17:4e:ee:09:
                   45:0b:9f:ec:36:7a:1b:a6:2a:77:d1:e2:00:55:ad:
                   c7:59:97:4c:3f:3d:bc:27:51:8d:5a:2f:d3:4f:61:
                   93:2a:f1:cb:b1:fa:cc:b6:c0:93:50:d6:eb:85:c8:
                   b2:62:d8:0c:34:65:f5:f1:07:22:b0:8c:b2:93:66:
                   85:8c:74:38:4c:51:d4:ba:e5:da:17:2f:4e:12:91:
                   20:52:a6:d0:75:64:28:06:92:46:ec:89:ed:51:3b:
                   b8:f0:87:2e:6e:3f:dd:ef:e8:26:54:3c:58:f7:67:
                   28:0f
               Exponent: 65537 (0x10001)
       X509v3 extensions:
           X509v3 Subject Alternative Name: 
               DNS:shopper2.rwh.shop
           X509v3 Extended Key Usage: 
               TLS Web Server Authentication
   Signature Algorithm: sha256WithRSAEncryption
        69:48:9c:b7:ee:f7:cb:a0:16:a3:46:f2:bb:a0:c7:54:ef:ad:
        dd:df:6d:8d:c3:5f:82:4b:f5:dd:10:ad:b0:4c:10:45:f0:59:
        4f:ab:f7:a5:cb:40:27:e9:e8:8d:63:b3:b1:38:81:b1:66:92:
        8c:2d:67:66:fd:13:a4:96:96:c7:99:05:ce:7e:94:26:f3:85:
        73:2b:80:5f:e1:80:16:d8:c5:ec:46:e7:e0:9a:fe:82:6f:89:
        c9:94:11:4a:64:d4:05:b5:9e:52:59:d0:9c:97:49:1c:60:26:
        93:c6:35:6a:f1:d8:10:2a:f7:6b:c6:d9:57:96:7a:1c:31:b4:
        b7:2b:6d:e3:03:a6:35:cd:4b:f8:bf:6c:25:33:a4:76:f2:40:
        82:4c:70:a2:ff:0a:41:a5:a1:43:1e:90:27:ed:6d:e5:89:48:
        88:5c:c2:3a:84:db:0d:ab:5e:e7:40:49:26:17:9a:38:55:5f:
        62:fe:53:70:97:73:86:0c:cd:e6:b3:c7:25:65:0a:0a:ab:11:
        88:fd:5e:ef:a0:f7:fd:5b:32:70:94:50:f3:41:1c:bf:d2:48:
        7f:d8:49:fa:a7:bf:be:2c:78:1d:4d:8b:51:92:49:26:82:53:
        17:99:19:a0:08:51:93:ef:cc:ab:08:d3:1c:8f:52:4d:bf:b3:
        36:b6:0b:c9
[root@shopper2 nst]#