Installing CA-signed Certificate
Overview
The following instructions assume that you have obtained certificate files in PEM format from a certificate authority.
atsd.company.com.crt: SSL certificate for the DNS nameatsd.company.com.ca-bundle: Intermediate androotCA SSL certificatesatsd.company.com.key: Private key file
To automate the SSL certificate renewal, consider deploying Let's Encrypt certificates.
Combine Chained Certificates
Combine the SSL certificates into one file to create a full certificate chain containing both the DNS and intermediate certificates.
cat atsd.company.com.crt atsd.company.com.ca-bundle > atsd.company.com.fullchain
Install Certificates in ATSD
The certificates can be either uploaded into ATSD or installed by deploying a keystore file on the local file system.
Upload Certificates to ATSD
If the certificate files are in PEM format, upload them to ATSD using curl.
Alternatively, create a PKCS12 keystore as described below.
Replace atsd.example.org with the DNS name or IP address of the ATSD server and update the API token value.
sudo curl https://atsd.example.org:8443/api/certificates/import/atsd \
--insecure \
--header "Authorization: Bearer ubFPnLvPJK3vOOlAjvQVtdkMkY1gfRscSi9k" \
-F "privkey=@atsd.company.com.key" \
-F "fullchain=@atsd.company.com.fullchain" \
-w "\n%{http_code}\n"
The certificates are installed and activated without restarting the database.
Deploy Keystore File
Create PKCS12 Keystore
Log in to ATSD server shell.
Create a PKCS12 keystore.
openssl pkcs12 -export -inkey atsd.company.com.key \
-in atsd.company.com.fullchain -out atsd.company.com.pkcs12
Enter Export Password: NEW_PASS
Verifying - Enter Export Password: NEW_PASS
Remove Old Keystore File
Backup the current server.keystore file.
mv /opt/atsd/atsd/conf/server.keystore /opt/atsd/atsd/conf/server.keystore.backup
Create JKS Keystore
Use the keytool command to create a new JKS keystore by importing the PKCS12 keystore file.
keytool -importkeystore -srckeystore atsd.company.com.pkcs12 \
-srcstoretype PKCS12 -alias 1 -destkeystore /opt/atsd/atsd/conf/server.keystore -destalias atsd
Enter destination keystore password: NEW_PASS
Re-enter new password: NEW_PASS
Enter source keystore password: NEW_PASS
Update Keystore Passwords
Open /opt/atsd/atsd/conf/server.properties file.
nano /opt/atsd/atsd/conf/server.properties
Specify the new password (in plain or obfuscated text) in https.keyStorePassword and https.keyManagerPassword settings.
Leave https.trustStorePassword blank.
https.keyStorePassword=NEW_PASS
https.keyManagerPassword=NEW_PASS
https.trustStorePassword=
Restart ATSD
/opt/atsd/atsd/bin/stop-atsd.sh
/opt/atsd/atsd/bin/start-atsd.sh
Verify Certificate
Log in to ATSD by entering its DNS name in the browser address bar and check its certificate by clicking on the SSL security icon.
Check the status of the new certificate on the Settings > Certificates page. The record is highlighted in green if:
- The certificate is trusted by the default trust manager of the Java Runtime Environment.
- The certificate dates are valid and the expiration date is no earlier than 30 days from now.
Troubleshooting
Check the contents of the keystore.
keytool -list -v -keystore /opt/atsd/atsd/conf/server.keystore
The output must contain an entry for atsd alias, for example:
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: atsd
Creation date: Apr 18, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=atsd.company.com
Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
...