Skip to main content
Sign in More Resources

How to copy a newly generated Netsweeper Proxy CA Certificate to remote proxy servers.

Cameron McDonald
  • Updated

Please note: Shell (root) access is required to perform the commands outlined below.

Overview

If the Netsweeper proxy certificate has expired, it is necessary to generate a new NSProxy certificate in the NSProxy Certificate Authority. Then this new certificate needs to be copied to to all remote proxy servers.

mceclip0.png

Copying the Certificate

After generating the new NSProxy certificate there will be a new certificate file and a key file on the Webadmin server. These two files are what need to be copied.

/usr/local/netsweeper/etc/ca.crt 
/usr/local/netsweeper/etc/ssl/ca.key

The following steps detail how to copy the certificate and key files to a temporary directory on the remote host and then log in to that host, sudo to root and then copy the files locally. 

The following "scp" commands use the remote proxy IP address192.168.30.143 as an example. You will be prompted for the remote proxy server's admin password.  (Note the capital "P" in the scp command "-P 60104" ssh port option)

# scp -P 60104 /usr/local/netsweeper/etc/ca.crt admin@192.168.30.143:/tmp
# scp -P 60104 /usr/local/netsweeper/etc/ssl/ca.key admin@192.168.30.143:/tmp

Login to remote proxy host and copy the files to their appropriate directories.

$ sudo -i
#cd /tmp
# cp ca.crt /usr/local/netsweeper/etc/
# cp ca.key /usr/local/netsweeper/etc/ssl/

Verify that the permissions and ownership of the newly copied files match the original files on the Webadmin server. Make any corrections to the file permissions and ownership with the chmod and chown commands.

On the Webadmin server:

# cd /usr/local/netsweeper/etc/
# ls -l ca*
-rw-r--r--. 1 root root 2037 May 4 2022 ca.crt
# ls -l ssl/ca*
-rw-r--r--. 1 root root 3243 May 4 2022 ca.key

On the proxy server:

# cd /usr/local/netsweeper/etc/
# chmod 644 ca.crt
# chown root:root ca.crt
# cd ssl
# chmod 644 ca.key
# chown root:root ca.key

The certificates will not become active on the proxies until the NSProxy service is restarted on each.

Now you can push out the new certificates to the clients via whatever means is used at your site.

Related to

Related articles