Generating the Certificates
Step 1: Generate a private key and a server certificate request with OpenSSL (this can be done on any machine).
openssl req -new -newkey rsa:2048 -nodes -keyout netbeez.key -out netbeez.csr
This command will require some information in the input. When prompted, make sure to input the correct server's FQDN. Here is an example of what the CSR information prompt will look like:
Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:<Customer_State> Locality Name (eg, city) []:<Customer_City> Organization Name (eg, company) [Acme, Inc.]:<Customer_Company_Name> Organizational Unit Name (eg, section) []:<Customer_Company_Division> Common Name (e.g. server FQDN or YOUR name) []:<SERVER_FQDN> Email Address []:
Step 2: Send the netbeez.csr file to your Certification Authority (CA), which will generate and return a netbeez.crt HTTPS certificate.
Ensure the following for the certificate:
Type is Certificate (w/ chain), PEM encoded
If chained certificate, ensure that your domain's cert is at the beginning.
E.g. chained certificate should have this order:
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: eg. your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: eg. DigiCertCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: eg. TrustedRoot.crt)
-----END CERTIFICATE-----
You can combine them with a command like this one:
cat certificate.pem intermediate.pem root.pem > netbeez.crt
Please note, that if you have a certificate chain that needs to be satisfied, it will need to be combined into one file in the correct order (e.g. root, all (if any) intermediate certificates, dashboard certificate) before being sent to NetBeez support.
Updating the Certificates on Your Server
There are two ways to update the certificates on your server:
Send Certificates to NetBeez Support
Once you have the netbeez.key and netbeez.crt files, open a ticket via email (support@netbeez.net) to have the certificates installed on your NetBeez server.
Update Certificates Yourself
If you have root access to your server and wish to update the certificate yourself, follow these additional steps.
1. Before making any changes to the existing files, it’s crucial that you keep backups of the existing certificate and key. Use the following commands:
cp /opt/netbeez/user_data/secrets/netbeez.crt /opt/netbeez/user_data/secrets/netbeez.crt.bakcp /opt/netbeez/user_data/secrets/netbeez.key /opt/netbeez/user_data/secrets/netbeez.key.bak
2. Then place the .key and .crt files in the following locations:
/opt/netbeez/user_data/secrets/netbeez.crt
/opt/netbeez/user_data/secrets/netbeez.key
If your files are named differently, please rename them according to the paths provided.
3. Once the files are copied, restart the dashboard service:
nb-docker-compose up -d --force-recreate --no-deps nb-dashboard
You can verify that the change was successful by watching the nb-dashboard container’s health status using the watch docker ps command.
Other Notes:
If your key has a passphrase, the dashboard won’t be able to start. To remove the passphrase from the key file, use this command (it will prompt for the passphrase to run this command, so you must know it to remove it):
openssl rsa -in netbeez-key-with-passphrase.key -out netbeez.key
Finally, to verify if the certificate and the key match, execute the following commands. The outputs of these commands should match:
openssl pkey -in netbeez.key -pubout -outform pem | sha256sum
openssl x509 -in netbeez.crt -pubkey -noout -outform pem | sha256sum