When you boot up the Apstra server for the first time, a unique self-signed
certificate is automatically generated and stored on the Apstra server at
/etc/aos/nginx.conf.d (nginx.crt is the public
key for the webserver and nginx.key is the private key.) The
certificate is used for encrypting the Apstra server and REST API, not for any
internal device-server connectivity. When you perform system backups you must
manually back up the etc/aos folder, since the HTTPS certificate is
not retained. We recommend replacing the default SSL certificate. Web server
certificate management is the responsibility of the end user. Juniper support is
best effort only.
-
Back up the existing OpenSSL keys.
admin@aos-server:/$ sudo -s
[sudo] password for admin:
root@aos-server:/# cd /etc/aos/nginx.conf.d
root@aos-server:/etc/aos/nginx.conf.d# cp nginx.crt nginx.crt.old
root@aos-server:/etc/aos/nginx.conf.d# cp nginx.key nginx.key.old
-
Create a new OpenSSL private key with the built-in openssl command.
root@aos-server:/etc/aos/nginx.conf.d# openssl genrsa -out nginx.key 2048
Generating RSA private key, 2048 bit long modulus
.............+++
......+++
e is 65537 (0x10001)
CAUTION:
Do not attempt to modify the default nginx.crt or
nginx.key filenames. These values are referenced
from nginx's configuration file. These files could be replaced as part
of a subsequent service upgrade, so the filenames must be predictable.
Moreover, do not make configuration changes to
nginx.conf, as this file may be replaced during
Apstra server upgrade.
-
Create a certificate signing request. If you want to create a signed SSL
certificate with a Subjective Alternative Name (SAN) for your Apstra server
HTTPS service, you must manually create an OpenSSL template. For details, see
Juniper Support Knowledge Base article KB37299.
CAUTION:
If you have created custom OpenSSL configuration files for advanced
certificate requests, do not leave them in the nginx configuration
folder, as nginx will attempt to load them (*.conf) on service startup,
causing a service failure.
root@aos-server:/etc/aos/nginx.conf.d# openssl req -new -sha256 -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Menlo Park
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Apstra, Inc
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:aos-server.apstra.com
Email Address []:support@apstra.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
-
Submit your Certificate Signing Request (nginx.csr) to your Certificate
Authority. The required steps are outside the scope of this document - CA
instructions differ per implementation. Any valid SSL certificate will work. The
example below is of self-signing the certificate.
root@aos-server:/etc/aos/nginx.conf.d# openssl req -x509 -sha256 -days 3650 -key nginx.key -in nginx.csr -out nginx.crt
root@aos-server:/etc/aos/nginx.conf.d#
-
Verify that the SSL certificates match: private key, public key, and CSR.
root@aos-server:/etc/aos/nginx.conf.d# openssl rsa -noout -modulus -in nginx.key | openssl md5
(stdin)= 60ac4532a708c98d70fee0dbcaab1e75
root@aos-server:/etc/aos/nginx.conf.d# openssl req -noout -modulus -in nginx.csr | openssl md5
(stdin)= 60ac4532a708c98d70fee0dbcaab1e75
root@aos-server:/etc/aos/nginx.conf.d# openssl x509 -noout -modulus -in nginx.crt | openssl md5
(stdin)= 60ac4532a708c98d70fee0dbcaab1e75
-
To load the new certificate, restart the nginx container.
root@aos-server:/etc/aos/nginx.conf.d# docker restart aos_nginx_1
aos_nginx_1
root@aos-server:/etc/aos/nginx.conf.d
-
Confirm that the new certificate is in your web browser and that the new
certificate common name matches 'aos-server.apstra.com'.
