When you boot up the Apstra server for the first time, a unique self-signed certificate is
automatically generated and stored on the Apstra server at
/etc/aos/nginx.conf.d (nginx.crt is the public
key for the webserver and nginx.key is the private key.) The
certificate is used for encrypting the Apstra server and REST API. It's not for any
internal device-server connectivity. Since the HTTPS certificate is not retained
when you back up the system, you must manually back up the etc/aos
folder. We recommend replacing the default SSL certificate. Web server certificate
management is the responsibility of the end user. Juniper support is best effort
only.
-
Back up the existing OpenSSL keys.
admin@aos-server:/$ sudo -s
[sudo] password for admin:
root@aos-server:/# cd /etc/aos/nginx.conf.d
root@aos-server:/etc/aos/nginx.conf.d# cp nginx.crt nginx.crt.old
root@aos-server:/etc/aos/nginx.conf.d# cp nginx.key nginx.key.old
-
Create a new OpenSSL private key with the built-in openssl command.
root@aos-server:/etc/aos/nginx.conf.d# openssl genrsa -out nginx.key 2048
Generating RSA private key, 2048 bit long modulus
.............+++
......+++
e is 65537 (0x10001)
CAUTION:
Don't modify nginx.crt or nginx.key
filenames. They're referred to in nginx.conf. As part
of subsequent service upgrades, these files could be replaced, so the
filenames must be predictable.
Also, don't change configuration in nginx.conf, as this
file may be replaced during Apstra server upgrade, and any changes you
make would be discarded.
-
Create a certificate signing request. If you want to create a signed SSL
certificate with a Subjective Alternative Name (SAN) for your Apstra server
HTTPS service, you must manually create an OpenSSL template. For details, see
Juniper Support Knowledge Base article KB37299.
CAUTION:
If you have created custom OpenSSL configuration files for advanced
certificate requests, don't leave them in the Nginx configuration
folder. On startup, Nginx will attempt to load them (*.conf), causing a
service failure.
root@aos-server:/etc/aos/nginx.conf.d# openssl req -new -sha256 -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Menlo Park
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Apstra, Inc
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:aos-server.apstra.com
Email Address []:support@apstra.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
-
Submit your Certificate Signing Request (nginx.csr) to your Certificate
Authority. The required steps are outside the scope of this document; CA
instructions differ per implementation. Any valid SSL certificate will work. The
example below is for self-signing the certificate.
root@aos-server:/etc/aos/nginx.conf.d# openssl req -x509 -sha256 -days 3650 -key nginx.key -in nginx.csr -out nginx.crt
root@aos-server:/etc/aos/nginx.conf.d#
-
Verify that the SSL certificates match: private key, public key, and CSR.
root@aos-server:/etc/aos/nginx.conf.d# openssl rsa -noout -modulus -in nginx.key | openssl md5
(stdin)= 60ac4532a708c98d70fee0dbcaab1e75
root@aos-server:/etc/aos/nginx.conf.d# openssl req -noout -modulus -in nginx.csr | openssl md5
(stdin)= 60ac4532a708c98d70fee0dbcaab1e75
root@aos-server:/etc/aos/nginx.conf.d# openssl x509 -noout -modulus -in nginx.crt | openssl md5
(stdin)= 60ac4532a708c98d70fee0dbcaab1e75
-
To load the new certificate, restart the nginx container.
root@aos-server:/etc/aos/nginx.conf.d# docker restart aos_nginx_1
aos_nginx_1
root@aos-server:/etc/aos/nginx.conf.d
-
Confirm that the new certificate is in your web browser and that the new
certificate common name matches 'aos-server.apstra.com'.
