How to install a commercial SSL certificate on Z-Command
Z-Command comes pre-installed with a self-signed certificate that makes secure communication possible with the web interface. However, because the installed certificate is a self-signed one, end users will get a security warning until they create and exception for the certificate by accepting that it is not trusted by a certification authority.
This should work for most users. This guide is for those who would like to take the extra step of installing a commercial SSL certificate which will eliminate the security warning.
- Login to your Z-Command via SSH. The username is “pi”, the password is “raspberry”.
- Generate a certificate signing request (CSR) by executing the following command and supplying the details:
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
This creates a two files. The file myserver.key contains a private key (myserver.key); do not disclose this file to anyone. Carefully protect the private key.
In particular, be sure to backup the private key, as there is no means to recover it should it be lost.
- Provide the content of server.csr to your certificate signing authority e.g. godaddy.com or comodo.com. They will in return give you three crt files that you will concatenate to generate a “bundle”. For example, if the files are www_yourdomain_com.crt, ComodoHigh-AssuranceSecureServerCA.crt and AddTrustExternalCARoot.crt. You will execute:
cat www_yourdomain_com.crt ComodoHigh-AssuranceSecureServerCA.crt AddTrustExternalCARoot.crt > bundle.crt
- Now combine the key in step 2 with the bundle file to create a pem file.
cat myserver.key bundle.crt > server.pem
- Backup the existing server.pem and replace it with the new one, then restart pound.
sudo cp /etc/pound/server.pem /etc/pound/server.pem.bak sudo cp server.pem /etc/pound/ sudo /etc/init.d/pound restart