Replace the TLS certificate with a third-party CA-issued certificate

This procedure describes how to replace the existing TLS certificate with a third-party (public or private) certificate authority (CA)-issued TLS certificate.

Before you begin

When you request a TLS certificate from a certificate authority, you must provide information about your organization. It is a good idea to determine this information in advance, before you begin the process. See the TLS certificate data example section of this chapter for details and examples of the required information.
Note Image

This procedure requires you to restart the isi_webui service, which restarts the web administration interface. Therefore, it is recommended that you perform these steps during a scheduled maintenance window.


  1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
  2. Create a backup directory by running the following command:
    mkdir /ifs/data/backup/
  3. Set the permissions on the backup directory to 700:
    chmod 700 /ifs/data/backup
  4. Make backup copies of the existing server.crt and server.key files by running the following two commands:
    cp /usr/local/apache2/conf/ssl.crt/server.crt \
    cp /usr/local/apache2/conf/ssl.key/server.key \
    Note Image

    If files with the same names exist in the backup directory, either overwrite the existing files, or, to save the old backups, rename the new files with a timestamp or other identifier.

  5. Create a working directory to hold the files while you complete this procedure:
    mkdir /ifs/local
  6. Set the permissions on the working directory to 700:
    chmod 700 /ifs/local
  7. Change to the working directory:
    cd /ifs/local
  8. Generate a new Certificate Signing Request (CSR) and a new key by running the following command, where <common-name> is a name that you assign. This name identifies the new .key and .csr files while you are working with them in this procedure. Eventually, you will rename the files and copy them back to the default location, and delete the files with the <common-name>. Although you can choose any name for <common-name>, we recommend that you use the name that you plan to enter as the Common Name for the new TLS certificate (for example, the server FQDN or server name, such as This enables you to distinguish the new files from the original files.
    openssl req -new -nodes -newkey rsa:1024 -keyout \
    <common-name>.key -out <common-name>.csr
  9. When prompted, type the information to be incorporated into the certificate request.
    When you finish entering the information, the <common-name>.csr and <common-name>.key files appear in the /ifs/local directory.
  10. Send the contents of the <common-name>.csr file from the cluster to the Certificate Authority (CA) for signing.
  11. When you receive the signed certificate (now a .crt file) from the CA, copy the certificate to /ifs/local/<common-name>.crt (where <common-name> is the name you assigned earlier).
  12. Optional: To verify the attributes in the TLS certificate, run the following command, where <common-name> is the name that you assigned earlier:
    openssl x509 -text -noout -in <common-name>.crt
  13. Run the following five commands to install the certificate and key, and restart the isi_webui service. In the commands, replace <common-name> with the name that you assigned earlier.
    isi services -a isi_webui disable 
    chmod 640 <common name>.key 
    isi_for_array -s 'cp /ifs/local/<common-name>.key \
    isi_for_array -s 'cp /ifs/local/<common-name>.crt \
    isi services -a isi_webui enable 
  14. Verify that the installation succeeded. For instructions, see the Verify a TLS certificate update section of this guide.
  15. Delete the temporary working files from the /ifs/local directory:
    rm /ifs/local/<common-name>.csr \
    /ifs/local/<common-name>.key /ifs/local/<common-name>.crt
  16. (Optional) Delete the backup files from the /ifs/data/backup directory:
    rm /ifs/data/backup/server.crt.bak \