How to replace WebUI certificate [Kaspersky Web Traffic Security]

[Egor Erastov]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Prerequisites

To replace the WebUI certificate you need two files:

• PEM encoded certificate or certificate chain file
• PEM encoded private key file (without passphrase)

You can generate a self signed certificate using the following command, specifying FQDN of the node in Common Name field:

openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem

Certificate replacement procedure

1. Connect to the node over SSH and enter Technical Support Mode
2. Place the files (cert.pem) and (key.pem) into /root
3. Go to we server configuration directory
4. Backup current versions of the files

   cp -p webapi.crt webapi.crt.backup
   cp -p webapi.key webapi.key.backup

5. Replace current files with new ones:

   cp /root/cert.pem webapi.crt
   cp /root/key.pem webapi.key

6. Set proper permissions

   chown root:root webapi.crt
   chmod 644 webapi.crt
   chown kluser:root webapi.key
   chmod 600 webapi.key

7. Restart nginx

   systemctl restart nginx

8. Check status of nginx service, it should be running
9. Open the WebUI to check that it is using the new certificate
10. If everything works as expected, delete certificate files from /root

    rm -f /root/cert.pem /root/key.pem

Repeat this procedure on every node of the Kaspersky Web Traffic Security cluster.