Changing monitoring service SSL certificate

Q: I have accidentally deleted IPHost monitoring service certificate file(s) – service.crt and/or service.key. How do I recover it?

A: You cannot recover certificate file(s), but you can create new ones.

The simplest way to do that is to use Unix-like environment and default OpenSSL utility; you can also make use of Windows builds of OpenSSL.

Typical environments where OpenSSL is available by default, include

  • use any available shell (e.g. SSH shell) to a Unix-like system (Linux, BSD etc)
  • install and run Windows Subsystem for Linux (requires Windows 10, with anniversary update of August 2016 – or later)
  • Cygwin: POSIX environment emulator for Windows

In any compatible environment, run command like

 openssl req -x509 -newkey rsa:2048 -keyout ./service.key -out ./service.crt -days 7300 -nodes

Unless explicitly configured, OpenSSL with ask a number of questions – enter corresponding parameters as requested (you may enter anything). “Common name” is usually referred as DNS domain name, e.g.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Massachusetts
Locality Name (eg, city) [Default City]:Arkham City
Organization Name (eg, company) [Default Company Ltd]:ACME, Ltd.
Organizational Unit Name (eg, section) []:Software development
Common Name (eg, your name or your server's hostname) []:acme.example.com
Email Address []:webmaster@acme.example.com

Meaning of the parameters: rsa:2048 means generating 2048-bit RSA key. This is minimal recommended length; you can also use 3072 or 4096 bits – the longer is the key, the more resource-consuming will be its use, the harder it will be to break the key.

“-days 7300” defines how many days, since the date of creation, will the certificate remain valid, in days. 7300 means 20 years (approximately, leap days not counted).

After the certificate files (service.crt, service.key) are created, copy them to IPHost data directory (“C:\ProgramData\IPHost Network Monitor” by default). Restart the monitoring service to make use of new certificates.

Note: if you were using remote agents, you will need to re-connect them.

Related topics