Importing and replacing Certificates

Contents

Importing and replacing Certificates

Nexthink encrypts the communications among its components to protect the information that travels through the network. The Appliance components (Engine, Portal and Web Console) and the Finder all use TLS to communicate with each other. To that end, Nexthink is delivered by default with a set of self-signed certificates and a cryptographic key that the encryption algorithms of TLS use to secure network communications. However, if your company manages its own certificates, either signed by a third-party certification authority or self-signed, your security policy may require to replace the default certificates of Nexthink by your own.

Find out here how to replace the certificates in the Appliance and in the Finder.

Format of the Certificates

  • The certificate and key are in PEM format.
  • You can use OpenSSL to convert your own certificates to the PEM format, when needed.

Replacing the Certificate on the Engine

  • Key is stored at /var/nexthink/engine/common/etc/key.pem.
  • Certificate is stored at /var/nexthink/engine/common/etc/certificate.pem.
  1. Connect to the Engine over the command line interface.
  2. Stop the Engine using the command sudo service nxlaunch stop.
  3. Backup the default key and certificate using the commands:
    mv <key_path>/key.pem <key_path>/key.pem.default
    mv <certificate_path>/certificate.pem <certificate_path>/certificate.pem.default
  4. Connect with a SCP application and upload the new key and the new certificate to /home/nexthink.
  5. Copy your key and certificate using the commands:
    cp /home/nexthink/key.pem <key_path>/key.pem
    cp /home/nexthink/certificate.pem <certifcate_path>/certificate.pem
  6. Restart the Engine with sudo service nxlaunch start.

Configuring the Finder

  • If you install a certificate in the Engine that is signed by a recognized Certification Authority, the Finder is able to connect to the Engine out-of-the-box.
  • If you install a self-signed certificate in the Engine, you must import this certificate into all the computers where the Finder is installed. Otherwise, the connection of the Finder to the Engine fails with the error The remote certificate is invalid.

To manually import the certificate into the Finder:

  1. Start > Run… > certmgr.msc.
  2. Select in the tree Trusted Root Certification Authority > Right-Click > All Tasks > Import.
  3. The Certificate Import Wizard starts. Click Next.
  4. Click on the Browse button and select the certificate.pem file.
  5. Click Next.
  6. In the dialog Place all certificates in the following store, click the Browse button.
  7. Tick the box Show physical stores, and select Trusted Root Certificate Authority\Local computer.
  8. Click Next and Finish.

Replacing the Certificate on the Console

  • The key and the certificate are concatenated in single file at /var/nexthink/console/etc/certificate.pem.
  1. Connect to the Engine over the command line interface.
  2. Stop the Console with sudo service nxconsole stop.
  3. Backup the default certificate using the command cp <key_path>/certificate.pem /var/nexthink/console/etc/certificate.pem.default
  4. Concatenate your key and certificate with cat <key_path>/key.pem /path/to/your/certificate.pem > full_certificate.pem
  5. Copy the concatenated certificate to cp full_certificate.pem /var/nexthink/console/etc/certificate.pem
  6. Restart the Console with sudo service nxconsole start

Replacing the Certificate on the Portal

  • The key and the certificate are stored in the keystore at /etc/nexthink/tomcat/keystore
  1. Connect to the Portal over the command line interface.
  2. Stop the Portal with sudo service nxportal stop.
  3. Backup the keystore using the command cp /etc/nexthink/tomcat/keystore /etc/nexthink/tomcat/keystore.default.
  4. Delete the Nexthink Certificate from the keystore using the command /usr/java/default/bin/keytool -keystore /etc/nexthink/tomcat/keystore -delete -storepass nexthink -alias tomcat.
  5. Convert the new key to DER format using OpenSSL with openssl pkcs8 -topk8 -nocrypt -in /path/to/your/key.pem -inform PEM -out key.der -outform DER.
  6. Convert the new certificate to DER format using OpenSSL with openssl x509 -in /path/to/your/certificate.pem -inform PEM -out certificate.der -outform DER.
  7. Download the Java class from https://support.nexthink.com/attachments/token/rtluslbvys0nox0/?name=ImportKey.class
  8. Import the certificate into the keystore using the command java ImportKey key.der certificate.der
  9. Restart the Portal with sudo service nxportal start
The operations described in this article should only be performed by a Nexthink Engineer or a Nexthink Certified Partner.

If you need help or assistance, please contact your Nexthink Certified Partner.
Related tasks