Import custom TLS certificates

NXLog Platform uses TLS certificates to:

Serve the NXLog Platform UI web pages and API requests.
Generate and sign agent certificates.

We recommend using your own TLS certificates generated by a local or public Certificate Authority (CA) for production environments.

Import a custom certificate for the web UI and API

NXLog Platform generates a self-signed certificate and private key pair during installation and uses them to serve NXLog Platform UI web pages and API requests. To import a custom certificate and private key pair:

Follow your organization’s procedure for creating a custom certificate and private key pair. Ensure the certificate meets the following requirements:
- The Common Name (CN) matches platform.subdomain.example.com.
- Includes the following Subject Alternative Names (SAN):
  
  auth.subdomain.example.com
  
  agents.subdomain.example.com
Replace subdomain.example.com with the domain you specified when installing NXLog Platform.
Run the following command to start the certificate import wizard:
```
$ sudo nxp_manage.sh import-cert
```

Enter the path of the TLS certificate and private key when prompted. If the import is successful, you should see output similar to the following:

[2025-08-13 16:47:08] [SUCCESS] Successfully copied cert.crt to /srv/nxp/data/nginx_certs/
[2025-08-13 16:47:08] [SUCCESS] Successfully copied private.key to /srv/nxp/data/nginx_certs/
[2025-08-13 16:47:08] [SUCCESS] Script execution completed successfully
[2025-08-13 16:47:08] [SUCCESS] Files have been successfully copied to /srv/nxp/data/nginx_certs/

Restart NXLog Platform:

$ sudo nxp_manage.sh stop
$ sudo nxp_manage.sh start

Import a custom CA certificate to sign agent certificates

By default, NXLog Platform uses a self-signed Certificate Authority (CA) certificate to generate and sign agent certificates. You can configure NXLog Platform to use a custom CA certificate by following the steps below.

Follow the steps to Generate an API token with full access permissions. Take note of the API token.
Copy the custom CA certificate and private key to the /tmp folder on the NXLog Platform machine.

Copy the following script to the /tmp folder.

#!/usr/bin/bash

NXLOG_API_TOKEN="<API_TOKEN>" (1)
CA_CERT_PATH="/tmp/ca-cert.pem" (2)
CA_KEY_PATH="/tmp/ca-key.pem" (3)

# Decode the JWT token
payload=$(echo "$NXLOG_API_TOKEN" | cut -d '.' -f2 | base64 -d 2>/dev/null)

# Check if decoding was successful
if [ -z "$payload" ]; then
    echo "Failed to decode JWT token."
        exit 1
	fi

# Extract the "iss" and "org_id" values using awk
iss=$(echo "$payload" | awk -F '"' '/"iss"/ {print $4}')
org_id=$(echo "$payload" | awk -F '"' '/"org_id"/ {print $24}')

# Replace "auth" with "agents" in the "iss" value
agents_url=$(echo "$iss" | sed 's/auth/agents/')

# Construct the main URL
api_url="https://$agents_url/api/$org_id/api/v1"

mgr_CA=$(sed -E ':a;N;$!ba;s/\r{0,1}\n/\\n/g' $CA_CERT_PATH)
mgr_CA_key=$(sed -E ':a;N;$!ba;s/\r{0,1}\n/\\n/g' $CA_KEY_PATH)
resp=$(curl -kisSX POST "$api_url/ca" -d '{"cert-pem": "'"$mgr_CA"'", "key-pem": "'"$mgr_CA_key"'"}' -H "Authorization: Bearer $NXLOG_API_TOKEN" )

if [[ ! $resp =~ 204 ]]
then
  echo -e "\nThere was an error importing CA into Vault of Platform:\n $resp"
    exit
    fi
    echo "Successfully imported CA into Vault of NXLog Platform!"
    echo "================================================================================"

1	Replace `<API_TOKEN>` with the API token you generated in step 1.
2	Replace `ca-cert.pem` with your CA certificate filename.
3	Replace `ca-key.pem` with your private key filename.

Execute the script to update the CA certificate and private key in NXLog Platform.
Update the Remote Management (xm_admin) instance in your agent configurations with the following directives:
```
AllowUntrusted    TRUE
RequireCert       FALSE
```
From NXLog Platform, navigate to Agents and select all agents.
Click Operations and select Renew Certificate.
Repeat the last two steps, but this time select Update Configuration.