Import custom TLS certificates

NXLog Platform uses TLS certificates to:

  • Serve the NXLog Platform UI web pages and API requests.

  • Generate and sign agent certificates.

We recommend using your own TLS certificates generated by a local or public Certificate Authority (CA) for production environments.

Import a custom certificate for the web UI and API

NXLog Platform generates a self-signed certificate and private key pair during installation and uses them to serve NXLog Platform UI web pages and API requests. To import a custom certificate and private key pair:

  1. Follow your organization’s procedure for creating a custom certificate and private key pair. Ensure the certificate meets the following requirements:

    • The Common Name (CN) matches platform.subdomain.example.com.

    • Includes the following Subject Alternative Names (SAN):

      • auth.subdomain.example.com

      • agents.subdomain.example.com

    Replace subdomain.example.com with the domain you specified when installing NXLog Platform.

  2. Run the following command to start the certificate import wizard:

    $ sudo nxp_manage.sh import-cert
  3. Enter the path of the TLS certificate and private key when prompted. If the import is successful, you should see output similar to the following:

    [2025-08-13 16:47:08] [SUCCESS] Successfully copied cert.crt to /srv/nxp/data/nginx_certs/
    [2025-08-13 16:47:08] [SUCCESS] Successfully copied private.key to /srv/nxp/data/nginx_certs/
    [2025-08-13 16:47:08] [SUCCESS] Script execution completed successfully
    [2025-08-13 16:47:08] [SUCCESS] Files have been successfully copied to /srv/nxp/data/nginx_certs/
  4. Restart NXLog Platform:

    $ sudo nxp_manage.sh stop
    $ sudo nxp_manage.sh start

Import a custom CA certificate to sign agent certificates

By default, NXLog Platform uses a self-signed Certificate Authority (CA) certificate to generate and sign agent certificates. You can configure NXLog Platform to use a custom CA certificate by following the steps below.

  1. Follow the steps to Generate an API token with full access permissions. Take note of the API token.

  2. Copy the custom CA certificate and private key to the /tmp folder on the NXLog Platform machine.

  3. Copy the following script to the /tmp folder.

    #!/usr/bin/bash
    
    NXLOG_API_TOKEN="<API_TOKEN>" (1)
    CA_CERT_PATH="/tmp/ca-cert.pem" (2)
    CA_KEY_PATH="/tmp/ca-key.pem" (3)
    
    # Decode the JWT token
    payload=$(echo "$NXLOG_API_TOKEN" | cut -d '.' -f2 | base64 -d 2>/dev/null)
    
    # Check if decoding was successful
    if [ -z "$payload" ]; then
        echo "Failed to decode JWT token."
            exit 1
    	fi
    
    # Extract the "iss" and "org_id" values using awk
    iss=$(echo "$payload" | awk -F '"' '/"iss"/ {print $4}')
    org_id=$(echo "$payload" | awk -F '"' '/"org_id"/ {print $24}')
    
    # Replace "auth" with "agents" in the "iss" value
    agents_url=$(echo "$iss" | sed 's/auth/agents/')
    
    # Construct the main URL
    api_url="https://$agents_url/api/$org_id/api/v1"
    
    mgr_CA=$(sed -E ':a;N;$!ba;s/\r{0,1}\n/\\n/g' $CA_CERT_PATH)
    mgr_CA_key=$(sed -E ':a;N;$!ba;s/\r{0,1}\n/\\n/g' $CA_KEY_PATH)
    resp=$(curl -kisSX POST "$api_url/ca" -d '{"cert-pem": "'"$mgr_CA"'", "key-pem": "'"$mgr_CA_key"'"}' -H "Authorization: Bearer $NXLOG_API_TOKEN" )
    
    if [[ ! $resp =~ 204 ]]
    then
      echo -e "\nThere was an error importing CA into Vault of Platform:\n $resp"
        exit
        fi
        echo "Successfully imported CA into Vault of NXLog Platform!"
        echo "================================================================================"
    1 Replace <API_TOKEN> with the API token you generated in step 1.
    2 Replace ca-cert.pem with your CA certificate filename.
    3 Replace ca-key.pem with your private key filename.
  4. Execute the script to update the CA certificate and private key in NXLog Platform.

  5. Update the Remote Management (xm_admin) instance in your agent configurations with the following directives:

    AllowUntrusted    TRUE
    RequireCert       FALSE
  6. From NXLog Platform, navigate to Agents and select all agents.

    NXLog Platform - select all agents
  7. Click Operations and select Renew Certificate.

    NXLog Platform - renew agent certificates
  8. Repeat the last two steps, but this time select Update Configuration.