Renew SSL Certificates for NorthStar Web UI
NorthStar generates SSL certificates during installation. You can renew or replace these SSL certificates generated during installation with the trusted certificates issued or approved by the information technology department in your organization. This topic describes how to replace the SSL certificates for web processes.
The SSL certificate files cert.pem and key.pem are located at /opt/northstar/web/certs/. Both these certificates are in X.509 format and you
must restart the web process after you replace the files.
For internal server communications to happen seamlessly, the servers must have valid security certificates installed. However, these certificates do not affect the web processes, and needs to be replaced or renewed only if your security team needs you to do so.
SSL certificates for individual servers are located in these locations:
Health Monitor—
/opt/northstar/healthMonitor/certsES Proxy—
/opt/northstar/esauthproxy/certsWeb Health—
/opt/northstar/web/routes/v1/health/certsSNMP Collection—
/opt/northstar/snmp-collector/conf
To replace the SSL certificates for NorthStar web UI:
- Establish an SSH connection to device on which NorthStar in installed.
- Navigate to
/opt/northstar/web/.user@host:~$ cd /opt/northstar/web/ user@host:~/web$ ls -l total 264 -rwx------. 1 pcs pcs 166 Dec 4 2020 appGlobals.js* -rwx------. 1 pcs pcs 46457 Jun 3 11:56 app.js* drwx------. 2 pcs pcs 37 Dec 4 2020 certs/ drwx------. 11 pcs pcs 153 Mar 15 20:07 client/ ... drwx------. 7 pcs pcs 4096 May 7 11:21 test/ drwx------. 6 pcs pcs 4096 May 7 11:22 thirdparty/ drwx------. 2 pcs pcs 55 May 7 11:22 util/ drwx------. 3 pcs pcs 17 Mar 15 20:08 webstart/
- Locate the folder named
certs. The trusted SSL certificates are stored in this folder.user@host:~/web$ cd certs/ user@host:~/web/certs$ ls -l total 8 -rwx------. 1 pcs pcs 1294 Feb 17 07:14 cert.pem* -rwx------. 1 pcs pcs 1679 Feb 17 07:14 key.pem*
cert.pem—Certificate file
key.pem—Key used to generate the certificate.
- Verify expiration date of the current SSL certificates.
user@host:~/web/certs$ openssl x509 -enddate -noout -in cert.pem notAfter=Apr 28 12:14:11 2023 GMT
- Run the following command to view the contents of the
certificate file:
user@host:~/web/certs$ openssl x509 -in cert.pem
- Copy the new certificate files and back up the existing
certificate files. You can use the backed up certificate files to
restore them later in case you face any issue.
user@host:~/web/certs$ cp cert.pem cert.pem.bak user@host:~/web/certs$ cp key.pem key.pem.bak user@host:~/web/certs$ ls -l total 16 -rwx------. 1 pcs pcs 1294 Feb 17 07:14 cert.pem* -rwx------. 1 pcs pcs 1294 Jul 9 11:55 cert.pem.bak* -rwx------. 1 pcs pcs 1679 Feb 17 07:14 key.pem* -rwx------. 1 pcs pcs 1679 Jul 9 11:55 key.pem.bak*
Note The names of the certificate files must be
cert.pemandkey.pem, respectively. - (Optional) Verify the status of the severs and web processes.
user@host:~/web/certs$ supervisorctl status bmp:bmpMonitor RUNNING pid 2492, uptime 42 days, 22:05:18 collector:worker1 RUNNING pid 9737, uptime 42 days, 22:02:59 collector:worker2 RUNNING pid 9739, uptime 42 days, 22:02:59 collector:worker3 RUNNING pid 9738, uptime 42 days, 22:02:59 collector:worker4 RUNNING pid 9740, uptime 42 days, 22:02:59 ... web:app RUNNING pid 7769, uptime 29 days, 0:47:11 web:gui RUNNING pid 6536, uptime 29 days, 1:01:44 web:notification RUNNING pid 6530, uptime 29 days, 1:01:44 web:planner RUNNING pid 6529, uptime 29 days, 1:01:44 web:proxy RUNNING pid 6533, uptime 29 days, 1:01:44 web:restconf RUNNING pid 6535, uptime 29 days, 1:01:44 web:resthandler RUNNING pid 6532, uptime 29 days, 1:01:44
- Restart the web processes for the changes to take effect.
user@host:~/web/certs$ supervisorctl restart web:* web:proxy: stopped web:planner: stopped web:notification: stopped web:resthandler: stopped web:gui: stopped web:app: stopped web:restconf: stopped web:planner: started web:notification: started web:app: started web:resthandler: started web:proxy: started web:restconf: started web:gui: started user@host:~/web/certs$
- Verify that the severs and web processes are running after the restart.
user@host:~/web/certs$ supervisorctl status bmp:bmpMonitor RUNNING pid 2492, uptime 42 days, 22:06:10 collector:worker1 RUNNING pid 9737, uptime 42 days, 22:03:51 collector:worker2 RUNNING pid 9739, uptime 42 days, 22:03:51 collector:worker3 RUNNING pid 9738, uptime 42 days, 22:03:51 collector:worker4 RUNNING pid 9740, uptime 42 days, 22:03:51 ... web:app RUNNING pid 14383, uptime 0:00:15 web:gui RUNNING pid 14387, uptime 0:00:15 web:notification RUNNING pid 14382, uptime 0:00:15 web:planner RUNNING pid 14381, uptime 0:00:15 web:proxy RUNNING pid 14385, uptime 0:00:15 web:restconf RUNNING pid 14386, uptime 0:00:15 web:resthandler RUNNING pid 14384, uptime 0:00:15 user@host:~/web/certs$
The certificates have been successfully renewed and web services restarted. You can now verify the certificate information from your web browser.
NorthStar overwrites any user-defined certificates during an upgrade. You need to replace the certificates again after an upgrade.