How to Update Expiring SSL/TLS Certificates on DX NetOps Proxy Server
Article ID: 436208
Updated On:
Products
Issue/Introduction
The SSL/TLS certificates used by the DX NetOps Proxy server are expiring. To maintain secure communication between the Data Aggregator and the Proxy, the existing certificate chain and keypair must be replaced before the expiration date.
Environment
- DX NetOps Performance Management
- Fault-Tolerant (FT) Data Aggregator configuration
- Proxy Host (daproxy)
Cause
SSL/TLS certificates have a finite validity period and require manual replacement once they approach their expiration date.
Resolution
To update the SSL/TLS certificates on the Proxy server, follow these steps:
Generate New Certificates: Obtain a new keypair and a full certificate chain from your Certificate Authority (CA). The PEM-formatted certificate file should contain the certificates in the following order:
- Signed Server Certificate
- Intermediate Certificate(s)
- Root Certificate
Upload Files to Proxy Server: Place the new
.pemcertificate file and the corresponding.keyfile on the Proxy server (standard location:/opt/CA/daproxy/conf/). Ensure the file permissions allow thedaproxyservice to read them.Update Configuration: Edit the
/opt/CA/daproxy/conf/daproxy.tomlfile. Locate the[[tls.certificates]]and[[tls.stores.default.defaultCertificate]]sections and ensure thecertFileandkeyFileparameters point to the new file paths :Restart Service: Apply the changes by restarting the
daproxyservice:Verification: Confirm the service is running and presenting the new certificate by checking the status:
Feedback
