Install an SSL certificate

You need to install a secure sockets layer (SSL) certificate to securely encrypt traffic between client computers and the Nozomi Networks Operating System (N2OS) sensor over hypertext transfer protocol secure (HTTPS).

Make sure that:
  • You have both the certificate and the key file in privacy-enhanced mail (PEM) format
  • Your certificate is password-protected
  • The certificate chain is complete
Note: You can use a command to combine certificates. Use a command such as:
cat https_nozomi.crt bundle.crt > https_nozomi.chained.crt
Important: You should not use a self-signed certificate in a production environment.

During the initial boot, the sensor generates a self-signed certificate. However, Nozomi Networks recommends that you install a certificate obtained from a well-known, trusted certificate authority (CA). To add a private CA to the system's trust store, see Install a CA certificate.

  1. Change the name of the certificate file to https_nozomi.crt.
  2. Change the name of the key https_nozomi.key.
  3. Upload the certificate and key files to the sensor.
    1. Open a terminal.
    2. Change directory into the /data/tmp folder
    3. To upload, enter this command: 
    scp https_nozomi.* admin@<sensor_ip>:/data/tmp
  4. Log into the console, either directly or through secure shell (SSH).
  5. To go to privileged mode, enter this command: 
    enable-me
    You can now perform system changes.
  6. If your certificate key is password-protected, to remove the protection, enter these commands: 
    cd /data/tmp
openssl rsa -in https_nozomi.key -out https_nozomi_nopassword.key
mv  https_nozomi_nopassword.key https_nozomi.key
    Note: This will stop you being prompted for your password each time the server restarts.
  7. To enable the certificate, enter this command: 
    n2os-addtlscert https_nozomi.crt https_nozomi.key
    Note: If you removed password protection from the certificate, change the second parameter of the command to:
    https_nozomi_nopassword.key
  8. To restart the web server and apply the change, enter this command: 
    service nginx stop
  9. Verify that the secure sockets layer (SSL) certificate is correctly loaded.
    1. In your browser, enter: https://<host>, where <host> can be the internet protocol (IP) address or fully qualified domain name (FQDN) covered by the certificate
    2. Make sure that the certificate is recognized as valid.
The SSL certificate is working correctly and will be applied on the next reboot.