Obtain Private Key from generated CSR

We’re running a setup where we have a main and backup gateway, and we want both gateways to have SSL encryption with the same certificate. I will need the private key that Ignition auto-generates to be installed on both the main and backup server. When ignition auto-generates a .csr it has a private key that it automatically generates along with. How can I get pull this from Ignition?

Assuming you are on at least 8.0.3, if you want the same SSL certificate installed on both gateways, you should be able to simply copy the key store file $GATEWAY1/webserver/ssl.pfx over to $GATEWAY2/webserver/ssl.pfx (where $GATEWAY1 and $GATEWAY2 are the root installation directories on the hosts of your first and second gateways respectively)

Alright fair enough, since I’m on 8.0.9. Also I don’t have an ssl.pfx file in that location but csr.pfx instead. Same action but using that file instead?

Have you exchanged your CSR for a CA-signed SSL certificate yet? If you have - once you install the certificate chain from the CA into one of the Gateways, the ssl.pfx key store should be generated for you

Ah right that gets it, I can see the ssl.pfx file now. That said though, this file swap by itself doesn’t install the SSL certificate. How do I go about getting the private key from this file since it requires a password to open? Otherwise I won’t be able to install the certificate on the gateway.

I missed one important step - on the gateway that you copied the key store file to, you will need to tell it to refresh its key store from disk. You can do this one of a few ways:

  1. every 15 mins or so, the system will automatically check for the presence of a new key store file and will hot-reload the SSL certificate
  2. you can tell the gateway to reload the key store immediately by invoking the following GCU command: gwcmd.sh --reloadks (assuming a *nix environment)
  3. restart the gateway

Thank you very much, this has resolved the issue.


1 Like