Updated on 8/16/2019
Eyeglass Administration guides Publication
TLS Certificate Procedures for Eyeglass
Direct link to topic in this publication:

Create a certificate in Eyeglass Appliance

  1. First create a configuration file inside /tmp directory. You can named it "iglscert.cnf" in Eyeglass Appliance. Below is an example:

    [ req ]
    default_bits = 2048
    prompt = no
    encrypt_key = no
    default_md = sha256
    distinguished_name = dn
    req_extensions = v3_req

    [ dn ]
    CN = iglscert.superna.local
    OU = Support Team
    L = Ottawa
    ST = Ontario
    C = CA

    [ v3_req ]
    subjectAltName = @alt_names

    [ alt_names ]
    DNS = superna.local
    DNS = *.superna.local

  2. Now, create a CSR (Certificate Signing Request) file and a server key file in /tmp directory using the following command in Eyeglass Appliance:
    openssl req -new -config /tmp/iglscert.cnf -keyout /tmp/iglscert.key -out /tmp/iglscert.csr

  3. Use the following command to verify the certificate information:
    openssl req -text -noout -verify -in /tmp/iglscert.csr

  4. Take the verified CSR file to your Windows Server CA or other CA and get it signed [ Signed certificate must be in Base-64-encoded X.509 format]. Once you have the file signed, copy it back to Eyeglass Appliance using any secure FTP client such as WinSCP and install using the steps below.

Install the signed certificate in Eyeglass appliance

  1. Get your certificate
  2. locate the private key and certificate, the file should have a private X509 key and certificate signed by a trusted certificate authority. as it must be X509 Certificate.

         Example:   eyeglass.key and eyeglass.crt  for certificate. 

  1. Login to eyeglass as root (or sudo to root), then upload the certificate files to eyeglass you may use winscp 

  2. Strip the key file and convert it to PEM format by executing below command
    openssl rsa -in /tmp/iglscert.key -out /tmp/iglscert.pem
  3. Now replace the certificate with existing Eyeglass cert
    scacli replace-certificate --privateKey=/tmp/iglscert.pem --certificate=/tmp/iglscert.cer
  4. Browse the Eyeglass certificate directory
    cd /opt/superna/sca/.secure

  5. Move the existing .pem file
    mv ssl.pem ssl.pem.orig

  6.  Concatenate the new key file information
    cat ssl.pem.orig ssl > ssl.pem

  7. Restart Lighttpd service
    systemctl restart lighttpd.service

  8. Now, login to Eyeglass Web UI and use the FQDN to access.
  9. You should see secure.pngaddress bar.



How to replace self signed certificate on Eyeglass Appliance


The following procedure can be used to generate a new self signed certificate and apply it on the Eyeglass appliance.



Configuration Steps:

Note: There will be an Eyeglass service interruption when performing this procedure.

  1. SSH to the Eyeglass as admin
  2. Default password is 3y3gl4ss
  3. sudo su  (to root)
  4. Default password is 3y3gl4ss
  5. systemctl stop sca
  6. systemctl stop lighttpd
  7. mv /opt/superna/sca/.secure/ssl.pem /tmp/ssl.pem.old
  8. /opt/superna/bin/create_ssl_keys.sh /opt/superna/sca/.secure/ssl
  9. chown sca.users /opt/superna/sca/.secure/*
  10. systemctl start sca
  11. systemctl start lighttpd
  12. Done.



Copyright Superna LLC