Swap SVM On-Prem SSL certificates [Ubuntu VA]

Swap SVM On-Prem SSL certificates [Ubuntu VA]


The SVM VA server will generate a self-signed SSL certificate when you choose to use SSL.
These instructions will explain how to swap it for your certificate and key pair.


Screenshot of the server name and SSL options dialogue in the CSI Virtual Appliance graphical menu.

Once you've run through the SVM Virtual Appliance (VA) setup wizard and have selected to use SSL you'll find that the server is set up with a self-signed SSL certificate. In some environments that isn't an ideal solution as the act of propagating the public key from this certificate to all endpoints can be daunting.  Below you'll find step by step instructions on how to replace the generated certificate with your own.

1. Obtain and transfer your public and private keys to your SVM VA. Once you have access to the file(s) this can be easily transferred to your server with a tool like WinSCP.

2. If your certificate is packaged together in a PFX file you can do the following to prepare your public and private key files. 

Extract the private key:

openssl pkcs12 -in cert_name.pfx -nocerts -out csi.key

Remove the password from your key, so httpd will start without prompting for it:

mv csi.key csi.key.secure 

openssl rsa -in csi.key.secure -out csi.key

Generate the public certificate:

openssl pkcs12 -in cert_name.pfx -clcerts -nokeys -out csi.crt

If you have a PEM file that has the two keys instead of a pfx you'll want to change the pkcs12 to x509 to match the format of the certificate. If you have another certificate format you'll need to adjust accordingly. Please refer to the openssl manual page for further details

3. Next, we need to replace the existing self-signed certificate files with the ones we now have on hand.
<VirtualHost *:8443>
        DocumentRoot /usr/share/csi/public_html/
        DirectoryIndex index.php index.html
        ServerName CSI-SSL
        <Directory /usr/share/csi/public_html/>
                Require all granted
        SSLEngine on
        SSLCertificateFile    /etc/csi/ssl/csi.crt
        SSLCertificateKeyFile /etc/csi/ssl/csi.key
We can find the location for the existing key pair in the virtual host definition for Apache which is found in /etc/apache2/sites-enabled/csi-ssl.conf. Here is what the virtual host looks like in that file:\

The important lines from the virtual host are the SSLCertificateFile and SSLCertificateKeyFile directives. These tell Apache which public and private key to use for the SSL connection and this lets us know what files we need to replace.

4. Remove the existing certificate key pair and replace it with yours.

Begin with deleting the old public key:

rm /etc/csi/ssl/csi.crt

Delete the old private key:

rm /etc/csi/ssl/csi.key 

Copy new public key

cp csi.crt /etc/csi/ssl/ 

Copy new private key

cp csi.key /etc/csi/ssl
5. Restart Apache
service apache2 restart
After restarting Apache you are all set.
Your connections to the SVM Server will occur using the newly implemented certificate.

Was this article helpful? Yes No
No ratings
Version history
Revision #:
3 of 3
Last update:
‎Sep 25, 2019 06:57 PM
Updated by: