Upload a custom CA certificate to NXLog Platform
By default, NXLog Platform uses a self-signed Certificate Authority (CA) certificate to generate and sign agent certificates. You can configure NXLog Platform to use a custom CA certificate by following the steps below.
-
Follow the steps to Generate an API token with full access permissions. Take note of the API token.
-
Copy the custom CA certificate and private key to the
/tmp
folder on the NXLog Platform machine. -
Copy the following script to the
/tmp
folder.#!/usr/bin/bash NXLOG_API_TOKEN="<API_TOKEN>" (1) CA_CERT_PATH="/tmp/ca-cert.pem" (2) CA_KEY_PATH="/tmp/ca-key.pem" (3) # Decode the JWT token payload=$(echo "$NXLOG_API_TOKEN" | cut -d '.' -f2 | base64 -d 2>/dev/null) # Check if decoding was successful if [ -z "$payload" ]; then echo "Failed to decode JWT token." exit 1 fi # Extract the "iss" and "org_id" values using awk iss=$(echo "$payload" | awk -F '"' '/"iss"/ {print $4}') org_id=$(echo "$payload" | awk -F '"' '/"org_id"/ {print $24}') # Replace "auth" with "agents" in the "iss" value agents_url=$(echo "$iss" | sed 's/auth/agents/') # Construct the main URL api_url="https://$agents_url/api/$org_id/api/v1" mgr_CA=$(sed -E ':a;N;$!ba;s/\r{0,1}\n/\\n/g' $CA_CERT_PATH) mgr_CA_key=$(sed -E ':a;N;$!ba;s/\r{0,1}\n/\\n/g' $CA_KEY_PATH) resp=$(curl -kisSX POST "$api_url/ca" -d '{"cert-pem": "'"$mgr_CA"'", "key-pem": "'"$mgr_CA_key"'"}' -H "Authorization: Bearer $NXLOG_API_TOKEN" ) if [[ ! $resp =~ 204 ]] then echo -e "\nThere was an error importing CA into Vault of Platform:\n $resp" exit fi echo "Successfully imported CA into Vault of NXLog Platform!" echo "================================================================================"
1 Replace <API_TOKEN>
with the API token you generated in step 1.2 Replace ca-cert.pem
with your CA certificate filename.3 Replace ca-key.pem
with your private key filename. -
Execute the script to update the CA certificate and private key in NXLog Platform.
-
Update the Remote Management (xm_admin) instance in your agent configurations with the following directives:
AllowUntrusted TRUE RequireCert FALSE
-
From NXLog Platform, navigate to Agents and select all agents.
-
Click Operations and select Renew Certificate.
-
Repeat the last two steps, but this time select Update Configuration.