Skip to main content
Skip table of contents

Regenerate TLS Keys and Certificates

Regenerate TLS Keys and Certificates

When an EC2 (Amazon's Elastic Compute Cloud) instance is stopped and started again, a new hostname is assigned to the instance. New TLS certificates need to be generated to match the new hostnames.

EJBCA

The following describes how to generate new TLS certificates on the EJBCA Cloud instance. For more information, refer to the AWS TLS Certificate Generation Guide and Azure TLS Certificate Generation Guide.

  1. SSH to the EJBCA instance (SIGNSERVER_DEMO#001 EJBCA). For example:
    CODE 
    ssh -i ~/.ssh/primekey-sweden-ec2.pem ec2-user@ec2-13-48-137-48.eu-north-1.compute.amazonaws.com
  2. Run the following commands to generate new certificates:
    CODE 
    # sudo su -
# cd /opt/PrimeKey/support
# ./new_tls_cert.sh -p

SignServer

The following describes how to generate new TLS certificates on the SignServer Cloud instance. For more information, refer to the AWS TLS Certificate Generation Guide.

To generate new TLS certificates:

  1. SSH to the SignServer instance (SIGNSERVER_DEMO#001 SignServer). For example:

    CODE 
    ssh -i ~/.ssh/primekey-sweden-ec2.pem ec2-user@ec2-13-48-31-155.eu-north-1.compute.amazonaws.com


  2. Run the following commands to get elevated privileges and change to the correct directory:

    CODE 
    # sudo su -
# cd /opt/PrimeKey/support


  3. Execute the script create_ra_tls_certs.sh with the DNS and IP information for SignServer (SIGNSERVER_DEMO#001 SignServer), specifying the external DNS, internal DNS, external IP, and internal IP according to the following example:

    CODE 
    # ./create_ra_tls_certs.sh -d ec2-54-226-80-2.compute-1.amazonaws.com -d ip-172-16-2-38.ec2.internal -i 54.226.80.2 -i 172.16.2.38


  4. Copy the generated PEM files from /home/ec2-user/pem/ to /etc/httpd/ssl on the SignServer instance (SIGNSERVER_DEMO#001 SignServer).
    Note that it is also possible to use a third-party program to copy the files from server to server.

    CODE 
    mkdir signserverpem

    From EJBCA:

    CODE 
    scp -i ~/.ssh/primekey-sweden-ec2.pem ec2-user@ec2-13-48-137-48.eu-north-1.compute.amazonaws.com:/home/ec2-user/pem/* signserverpem/.

    To SignServer:

    CODE 
    scp -i ~/.ssh/primekey-sweden-ec2.pem signserverpem/* ec2-user@ec2-13-48-31-155.eu-north-1.compute.amazonaws.com:.


  5. SSH to the SignServer instance:

    CODE 
    ssh -i ~/.ssh/primekey-sweden-ec2.pem ec2-user@ec2-13-48-31-155.eu-north-1.compute.amazonaws.com

    On SignServer:

    CODE 
    cp *.pem /etc/httpd/ssl/.
cp *.key /etc/httpd/ssl/.


  6. Restart the Apache service:

    CODE 
    # sudo -i
# systemctl restart httpd

Regenerate EJBCA SuperAdmin Keystore

The following describes how to generate a new superadmin keystore which is useful if you lose the superadmin keystore, or if it expires.

To generate a new superadmin keystore using the CLI:

  1. Renew superadmin certificate:
    CODE 
    # cd /opt/ejbca
# bin/ejbca.sh ra setendentitystatus superadmin 10
# bin/ejbca.sh ra setclearpwd superadmin password
# bin/ejbca.sh batch
  2. Copy the  /opt/ejbca/p12/superadmin.p12 to local server and import it in your browser (using password: password):
    CODE 
    # scp -i /route/to/your/pem-file.pem ec2-user@ec2-13-53-44-197.eu-north-1.compute.amazonaws.com:/opt/ejbca/p12/superadmin.p12 /directory/you/want-to/download
  3. Verify that you can access EJBCA Adminweb with the new superadmin certificate.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close