Upload a custom CA certificate to NXLog Platform

By default, NXLog Platform uses a self-signed Certificate Authority (CA) certificate to generate and sign agent certificates. You can configure NXLog Platform to use a custom CA certificate by following the steps below.

  1. Follow the steps to Generate an API token with full access permissions. Take note of the API token.

  2. Copy the custom CA certificate and private key to the /tmp folder on the NXLog Platform machine.

  3. Copy the following script to the /tmp folder.

    #!/usr/bin/bash
    
    NXLOG_API_TOKEN="<API_TOKEN>" (1)
    CA_CERT_PATH="/tmp/ca-cert.pem" (2)
    CA_KEY_PATH="/tmp/ca-key.pem" (3)
    
    # Decode the JWT token
    payload=$(echo "$NXLOG_API_TOKEN" | cut -d '.' -f2 | base64 -d 2>/dev/null)
    
    # Check if decoding was successful
    if [ -z "$payload" ]; then
        echo "Failed to decode JWT token."
            exit 1
    	fi
    
    # Extract the "iss" and "org_id" values using awk
    iss=$(echo "$payload" | awk -F '"' '/"iss"/ {print $4}')
    org_id=$(echo "$payload" | awk -F '"' '/"org_id"/ {print $24}')
    
    # Replace "auth" with "agents" in the "iss" value
    agents_url=$(echo "$iss" | sed 's/auth/agents/')
    
    # Construct the main URL
    api_url="https://$agents_url/api/$org_id/api/v1"
    
    mgr_CA=$(sed -E ':a;N;$!ba;s/\r{0,1}\n/\\n/g' $CA_CERT_PATH)
    mgr_CA_key=$(sed -E ':a;N;$!ba;s/\r{0,1}\n/\\n/g' $CA_KEY_PATH)
    resp=$(curl -kisSX POST "$api_url/ca" -d '{"cert-pem": "'"$mgr_CA"'", "key-pem": "'"$mgr_CA_key"'"}' -H "Authorization: Bearer $NXLOG_API_TOKEN" )
    
    if [[ ! $resp =~ 204 ]]
    then
      echo -e "\nThere was an error importing CA into Vault of Platform:\n $resp"
        exit
        fi
        echo "Successfully imported CA into Vault of NXLog Platform!"
        echo "================================================================================"
    1 Replace <API_TOKEN> with the API token you generated in step 1.
    2 Replace ca-cert.pem with your CA certificate filename.
    3 Replace ca-key.pem with your private key filename.
  4. Execute the script to update the CA certificate and private key in NXLog Platform.

  5. Update the Remote Management (xm_admin) instance in your agent configurations with the following directives:

    AllowUntrusted    TRUE
    RequireCert       FALSE
  6. From NXLog Platform, navigate to Agents and select all agents.

    NXLog Platform - select all agents
  7. Click Operations and select Renew Certificate.

    NXLog Platform - renew agent certificates
  8. Repeat the last two steps, but this time select Update Configuration.