Administration Guides

TLS Certificate Procedures for Eyeglass


Create a certificate in Eyeglass Appliance

  1. First create a configuration file inside /tmp directory. You can named it "iglscert.cnf" in Eyeglass Appliance. Below is an example: NOTE: the FQDN of the appliance should be used for the CN = property in the cnf file.  NOTE: The alt DNS section should be setup to match the FQDN of the appliance and use * to wildcard the host name.

    [ req ]
    default_bits = 2048
    prompt = no
    encrypt_key = no
    default_md = sha256
    distinguished_name = dn
    req_extensions = v3_req

    [ dn ]
    CN = iglscert.superna.local
    OU = Support Team
    L = Ottawa
    ST = Ontario
    C = CA

    [ v3_req ]
    subjectAltName = @alt_names

    [ alt_names ]
    DNS = superna.local
    DNS = *.superna.local

  2. Now, create a CSR (Certificate Signing Request) file and a server key file in /tmp directory using the following command in Eyeglass Appliance: NOTE: The path to the private .key file will be needed when installing the signed certificate in the next section.
    openssl req -new -config /tmp/iglscert.cnf -keyout /tmp/iglscert.key -out /tmp/iglscert.csr

  3. Use the following command to verify the certificate information:
    openssl req -text -noout -verify -in /tmp/iglscert.csr

  4. Take the verified CSR file to your Windows Server CA or other CA and get it signed [ Signed certificate must be in Base-64-encoded X.509 format]. Once you have the file signed, copy it back to Eyeglass Appliance using any secure FTP client such as WinSCP and install using the steps below.

Install the signed certificate in Eyeglass appliance

  1. Get your certificate
  2. locate the private key and certificate, the file should have a private X509 key and certificate signed by a trusted certificate authority. as it must be X509 Certificate.

         Example:   iglscert.key and iglscert.cer  for certificate exported from Microsoft CA.

  1. Login to eyeglass as root (or sudo to root), then upload the certificate file to eyeglass you may use winscp tool.

  2. Strip the key file and convert it to PEM format by executing below command (note the .key is the private key created from the create CSR request completed in the steps above and used /tmp/iglscert.key path when creating the CSR request and private key)
    openssl rsa -in /tmp/iglscert.key -out /tmp/iglscert.pem
  3. Now replace the certificate with existing Eyeglass cert
    scacli replace-certificate --privateKey=/tmp/iglscert.pem --certificate=/tmp/iglscert.cer
  4. Browse the Eyeglass certificate directory
    cd /opt/superna/sca/.secure

  5. Move the existing .pem file
    mv ssl.pem ssl.pem.orig

  6.  Concatenate the new key file information into a single private key + certificate needed for lighttpd web server.
    cat ssl.pem.orig ssl > ssl.pem

  7. change file ownership 
    • chown sca.users /opt/superna/sca/.secure/* 
  8. Restart Lighttpd and sca service
    systemctl restart lighttpd sca
  9. Now, login to Eyeglass Web UI and use the FQDN to access. NOTE: the FQDN used to access Eyeglass should be the CN= property used when createing the CSR request)
  10. You should see view the certificate properties in the browser address bar to verify the cert properties look correct from the CSR request details.



How to replace self signed certificate on Eyeglass Appliance


The following procedure can be used to generate a new self signed certificate and apply it on the Eyeglass appliance.



Configuration Steps:

Note: There will be an Eyeglass service interruption when performing this procedure.

  1. SSH to the Eyeglass as admin
  2. Default password is 3y3gl4ss
  3. sudo su  (to root)
  4. Default password is 3y3gl4ss
  5. systemctl stop sca
  6. systemctl stop lighttpd
  7. mv /opt/superna/sca/.secure/ssl.pem /tmp/ssl.pem.old
  8. /opt/superna/bin/ /opt/superna/sca/.secure/ssl
  9. chown sca.users /opt/superna/sca/.secure/*
  10. systemctl start sca
  11. systemctl start lighttpd
  12. Done.



Copyright Superna LLC