Difference between revisions of "HowTo Regenerate The TLS (SSL) Certificate For The NST WUI"

From NST Wiki
Jump to navigationJump to search
(Stricter Trusted Certificate Security Requirements)
(Stricter Trusted Certificate Security Requirements)
Line 14: Line 14:
  
 
= Stricter Trusted Certificate Security Requirements =
 
= Stricter Trusted Certificate Security Requirements =
<div class="centerBlock"><div class="noteMessage">'''Note:''' One may need to generate a new TLS certificate for the NST WUI do to stricter trusted security requirements (E.g., '''[https://support.apple.com/en-us/HT210176 Requirements for trusted certificates]''').</div></div>
+
<div class="centerBlock"><div class="noteMessage">'''Note:''' One may need to generate a new TLS certificate for the NST WUI do to stricter trusted security requirements (E.g., '''[https://support.apple.com/en-us/HT210176 Requirements for trusted certificates]'''). In particular:
 +
 
 +
<ul>
 +
<li>The validity period of the new certificate has been reduced to 730 days (2 years).</li>
 +
<li>The Extended Key Usage (extendedKeyUsage) containing the serverAuth OID has been added as required to the extension area of the certificate.</li>
 +
</ul>
 +
<p>Without these changes, newer versions of the Google Chrome browser running on Mac OS (macOS) Catalina may not allow you to connect to the NST web interface.</div></div>

Revision as of 07:30, 22 November 2019

Overview

This page demonstrates how to regenerate the TLS (Deprecated predecessor: SSL) self-signing certificate for the NST WUI.

nstcert

The process of generating an TLS key and certificate files and then making use of them in a Apache® configuration file can be a time consuming process. The "nstcert" script attempts to automate part of the process by generating template files for use within the Apache® httpd daemon. The script also generates a PEM (Privacy-enhanced Electronic Mail) file.

Generate a new TLS Certificate for the NST WUI

If one needs to generate a new self-signing TLS certificate for NST WUI usage, the following help script: "/usr/libexec/nstwui-ssl-gencerts" may be utilized. It uses the nstcert script described above in combination with the configuration file: "/etc/nst/wui/nstcert.conf". Edit this file to suit your needs.

sudo /usr/libexec/nstwui-ssl-gencerts -r

The "-r" option is necessary to remove the previous TLS certificate.

Stricter Trusted Certificate Security Requirements

Note: One may need to generate a new TLS certificate for the NST WUI do to stricter trusted security requirements (E.g., Requirements for trusted certificates). In particular:
  • The validity period of the new certificate has been reduced to 730 days (2 years).
  • The Extended Key Usage (extendedKeyUsage) containing the serverAuth OID has been added as required to the extension area of the certificate.

Without these changes, newer versions of the Google Chrome browser running on Mac OS (macOS) Catalina may not allow you to connect to the NST web interface.