This article is intended as a guide for applying certificates generated outside of the usual CaféX process, e.g. a CSR generated by FAS. In this example we will import an existing wild card security certificate (such as *.cafex.com) into a FAS server in the CaféX DNS domain.
WARNING - This procedure has the potential to be destructive, while we will take a backup of the system below we also recommend a server state backup is made before attempting.
It is assumed you have:
- A directory on the server (mkdir /opt/certs/) with the 3 files listed below.
- Wildcard certificate for *.yourdomain.com, e.g wildcard-server.crt. It is advised that this cert includes the bundle cert also. See https://support.cafex.com/hc/en-us/articles/202893421 for more details.
- The Webserver private key, e.g websvr.key.
- importKeyPair.sh script attached to this article.
Please ensure that the certificate and key files are in Unix format. If they are in Dos format (denoted by [DOS] at the bottom of the screen if you open the file in 'vi editor'), then it would give errors when you try to import it.
You can convert a file from DOS format to Unix format by using the 'dos2unix' command.
If the 'dos2unix' command is not available, you can do the following:
- Open the file in 'vi editor'
- In Escape mode, set the following :set fileformat=unix
- Save and close the file
Once you have these files in place on the server (use /opt/certs/) follow the below.
Step 1.Stop FAS and backup the existing install directory
Backup existing installation:
- Stop FAS service fas stop
- cp -Rp /opt/cafex/FAS-<version> /opt/cafex/FAS-<date>-<version>
- Start FAS: service fas start
Step 2. Remove the existing keypairs for https on the main-loadbalancer-group and the mgmt-server-group.
Navigate to the AS server admin console:
https://<your-server>:9990/console/ --> Profiles --> Management --> Trust Management --> ID Certificates --> main-loadbalancer-group --> https --> remove
Then repeat for the mgmt-server-group.
https://<your-server>:9990/console/ --> Profiles --> Management --> Trust Management --> ID Certificates --> mgmt-server-group --> https --> remove
NOTE - DO NOT RESTART FAS OR YOUR SERVER AT THIS POINT AS IT WILL HAVE NO HTTPS CERTIFICATES TO SERVE WEB PAGES.
Step 3. Create new https keypairs on the main-loadbalancer-group and the mgmt-server-group using the wildcard cert and webserver key.
NOTE ** REMEBER to use the actual name of your certificates & passwords, do not copy & paste commands from below:
- Copy the importKeyPair.sh script attached to /opt/certs & run the following commands
- Ensure your .crt and .key files are in the same folder as importKeyPair.sh, or that the path to these files is accurate.
- chmod +x /opt/certs/importKeyPair.sh
- Create the main-loadbalancer-group https:
- ./importKeyPair.sh -g main-loadbalancer-group -n https -p changeit -k websvr.key -c wildcard-server.crt -u administrator -a administrator (should return success response)
- Create the mgmt-server-group https:
- ./importKeyPair.sh -g mgmt-server-group -n https -p changeit -k websvr.key -c wildcard-server.crt -u administrator -a administrator (should return success response)
- now restart FAS: service fas restart
Procedure complete, if you received an error message instead of a success please follow the restore procedure below.
Note browsers needed to be restarted to pick up the new cert.
- Stop FAS: service fas stop
- Move old FAS directory: mv /opt/cafex/FAS-<version> /opt/cafex/FAS-failed-cert
- Rename backup: mv /opt/cafex/FAS-<date> /opt/cafex/FAS-<Version> (you can get version from cat /etc/fas.conf)
- Start FAS: service fas start.
Common Problems, Issues & Error Messages
- "Failed to import key pair: JBAS014746: public-cert-encoded may not be null"
- Please ensure that the .crt and .key files are located in the same folder as importKeyPair.sh or that the path to these files is accurate.
- "JBAS014803: Duplicate resource"
- This error is due to the .crt you are attempting to import already existing within the FAS certificate store, please remove the previous certificate before applying.
Comments are disabled on these articles if you require help contact firstname.lastname@example.org.