Replacing the SSL certificate of a cluster node with the Apache web server

The Apache web server is used on Astra Linux Special Edition.

To replace the SSL certificate of a cluster node with the Apache web server:

  1. Start an operating system command shell on the cluster node to run commands with superuser (system administrator) permissions.
  2. Place the certificate file (cert.pem) and the private key file (key.pem) in the /root directory.
  3. Change to the web server config files directory:

    cd /var/opt/kaspersky/ksmg/certs

  4. Create backup copies of the current certificate and private key:

    cp -p webapi.crt webapi.crt.backup

    cp -p webapi.key webapi.key.backup

    cp -p webapi-with-dhparam.crt webapi-with-dhparam.crt.backup

  5. Replace the contents of the certificate and private key files:

    cat /root/cert.pem > webapi.crt

    cat /root/key.pem > webapi.key

  6. Generate DH parameters:

    openssl dhparam -out dhparam.pem 4096

    Generating DH parameters may take 10 to 20 minutes. Wait for the operation to finish.

  7. Add the DH parameters to the certificate:

    cat webapi.crt dhparam.pem > webapi-with-dhparam.crt

  8. Configure access permissions for the modified files using the following commands:

    chown root:root webapi.crt

    chmod 644 webapi.crt

    chown kluser:root webapi.key

    chmod 600 webapi.key

    chown root:root dhparam.pem

    chmod 644 dhparam.pem

    chown root:root webapi-with-dhparam.crt

    chmod 644 webapi-with-dhparam.crt

  9. Restart the Apache service:

    systemctl restart apache2

  10. Check the status of the Apache service:

    systemctl status apache2

    The service must have the running status.

  11. Open the web interface of the cluster node in the browser. If the certificate was successfully replaced, the insecure connection warning is not displayed.
  12. If the replacement was successful, delete the original certificate and private key files from the /root directory:

    rm -f /root/cert.pem /root/key.pem

The SSL certificate of the cluster node is replaced. If you want to replace certificates on multiple cluster nodes, you must follow the step-by-step instruction on each node.

Page top