Install an SSL certificate
You need to install a secure sockets layer (SSL) certificate to securely encrypt traffic between client computers and the Nozomi Networks Operating System (N2OS) sensor over hypertext transfer protocol secure (HTTPS).
- You have both the certificate and the key file in privacy-enhanced mail (PEM) format
- Your certificate is password-protected
- The certificate chain is complete
Note: You can use a command to combine certificates. Use a
command such
as:
cat https_nozomi.crt bundle.crt > https_nozomi.chained.crt
Important: You should not use a self-signed
certificate in a production environment.
During the initial boot, the sensor generates a self-signed certificate. However, Nozomi Networks recommends that you install a certificate obtained from a well-known, trusted certificate authority (CA). To add a private CA to the system's trust store, see Install a CA certificate.
- Change the name of the certificate file to https_nozomi.crt.
- Change the name of the key https_nozomi.key.
-
Upload the certificate and key files to the sensor.
- Open a terminal.
- Change directory into the /data/tmp folder
- To upload, enter this command:
scp https_nozomi.* admin@<sensor_ip>:/data/tmp
- Log into the console, either directly or through secure shell (SSH).
-
To go to privileged mode, enter this command:
enable-me
You can now perform system changes. -
If your certificate key is password-protected, to remove the protection, enter
these commands:
cd /data/tmp openssl rsa -in https_nozomi.key -out https_nozomi_nopassword.key mv https_nozomi_nopassword.key https_nozomi.key
Note: This will stop you being prompted for your password each time the server restarts. -
To enable the certificate, enter this command:
n2os-addtlscert https_nozomi.crt https_nozomi.key
Note: If you removed password protection from the certificate, change the second parameter of the command to:https_nozomi_nopassword.key
-
To restart the web server and apply the change, enter this command:
service nginx stop
-
Verify that the secure sockets layer (SSL) certificate is correctly
loaded.
- In your browser, enter: https://<host>, where <host> can be the internet protocol (IP) address or fully qualified domain name (FQDN) covered by the certificate
- Make sure that the certificate is recognized as valid.