How to replace the self-signed SSL certificate

By default, the connection to the Runecast Analyzer web interface is secured using a self-signed SSL certificate. We recommend replacing it with a CA-signed certificate. After you obtain the certificate in the PEM format, you can replace the default one by following the steps below:

Info: Runecast Analyzer supports X.509 certificates in the PEM format to encrypt session information sent over SSL connection.

  1. If SSH access is not enabled, please see section How to enable SSH access.
  2. Initiate SSH session to Runecast Analyzer.
  3. Login with rcadmin user.
  4. In the directory /etc/runecast/cert , rename the existing certificates:
sudo mv rc2.crt orig.rc2.crt
sudo mv rc2.key orig.rc2.key
  1. Copy the new certificate and key to /etc/runecast/cert .
  • from the appliance initiate file transfer:
sudo scp <username>@<remoteHost>:/location/<your file>.crt /etc/runecast/cert/<your file>.crt 
sudo scp <username>@<remoteHost>:/location/<your file>.key /etc/runecast/cert/<your file>.key
  • as an alternative, you can copy the certificate files to Runecast Analyzer using SCP client. In this case, you will not be able to upload them directly to /etc/runecast/cert/ directory. Initially, they can be placed in the /tmp directory and then moved with elevated privileges:
sudo mv /tmp/<your file>.crt /etc/runecast/cert/<your file>.crt
sudo mv /tmp/<your file>.key /etc/runecast/cert/<your file>.key
  1. In the directory /etc/runecast/cert rename the new certificate and key to rc2.crt and rc2.key :
sudo mv <your file>.crt rc2.crt
sudo mv <your file>.key rc2.key
  1. The copy process of the certificate files to Runecast Analyzer may not assign the proper permissions. Please review them by using the following command:
ls -la /etc/runecast/cert/
  1. If the permissions on your new certificate files are not root:rctomcat run the commands below:
sudo chown root:rctomcat rc2.crt
sudo chown root:rctomcat rc2.key
sudo chmod 640 rc2.crt
sudo chmod 640 rc2.key
  1. If your key is password-protected, add the password into /etc/runecast/nginx/ssl_passwords.txt file using the following command:
echo "<password>" | sudo tee /etc/runecast/nginx/ssl_passwords.txt
  1. Restart the nginx service:
sudo systemctl restart nginx

Tip: If after performing the steps the certificate is still untrusted in the browser, make sure:

  • The certificate contains the SAN field.
  • The certificate .crt file includes all the intermediate certificate authorities certificates. The file should start with the appliance certificate.

Note: If after changing the certificate and restarting nginx the daemon fails to start, review the file permissions (step 8). If the certificate is password protected, make sure you set the password (step 9).

2 Likes