SSL Certificate Overview

This document presents basic overview of cert command in WeOS.

What is an SSL Certificate

SSL Certificate is a file that binds a cryptographic key to an organization. When installed on Web Server it allows secure connections to be made, using HTTPS protocol.

SSL Certificates in WeOS

Default SSL Certificate is always present in WeOS, and when it is deleted, new one will be generated implicitely at reboot.

Users may import custom certificates and use them instead of builtin ones in applications that allow such operation, such as DDNS.

If needed, certificates and OpenVPN secret keys may also be generated.

Certificates & keys management

Certificates and keys can be managed from both CLI and Web interfaces.

CLI Syntax:

[no][show] cert [all] [full] [generate [OPTS] | import [OPTS] URI

Manage certificates and keys.

no
Delete a complete certificate bundle by its label.
show
Dump certificate information: attributes & meta data. full - display full certificate’s LABEL all - display all keys & certificates (including WeOS built-in) - display info about certificate with specified HASH
generate
Generate certificates and OpenVPN secret keys (PSK). Signing, or self-signed CA not supported yet.
import
Import PKCS12 certificate bundles, stand-alone PEM/DER, Astaro Secure Gateway bundles or OpenVPN static key files.

Examples

Import a PKCS#12 or a PEM certificate:

example:/#> cert import pkcs password "secret string" ftp://1.2.3.4/bundle.p12
example:/#> cert import pem type public usb://remote.crt

Import an Astaro Secure Gateway bundle and setup an OpenVPN tunnel:

example:/#> cert import apc to-ssl 1 ftp://1.2.3.4/bundle.apc

Only import certificates from an Astaro Secure Gateway bundle:

example:/#> cert import apc certs-only ftp://1.2.3.4/bundle.apc

Import an OpenVPN static key (PSK):

example:/#> cert import ovpn ftp://1.2.3.4/ovpn.key

Generate an OpenVPN static key (PSK):

example:/#> cert generate ovpn label NAME

Show all certificates or display a given label/hash:

example:/#> show cert
TYPE     HASH     EXPIRES     NAME
Pub      52ff4f77 Jan 19 2038 zero-12-34-50.local
Key      N/A      N/A         web-default
example:/#> show cert full
TYPE     HASH     EXPIRES     NAME                 LABEL
Pub      52ff4f77 Jan 19 2038 zero-12-34-50.local  web-default
Key      N/A      N/A         web-default          web-default
example:/#> show cert all
Press Ctrl-C or Q(uit) to quit viewer, Space for next page,  for next line.
TYPE     HASH     EXPIRES     NAME
CA-auto  a94d09e5 Dec 31 2030 ACCVRAIZ1
CA-auto  cd8c0d63 Jan  1 2030 N/A
CA-auto  930ac5d2 Sep 22 2030 Actalis Authentication Root CA
CA-auto  157753a5 May 30 2020 AddTrust External CA Root
CA-auto  2b349938 Dec 31 2030 AffirmTrust Commercial
CA-auto  93bc0acc Dec 31 2030 AffirmTrust Networking
CA-auto  b727005e Dec 31 2040 AffirmTrust Premium
CA-auto  9c8dfbd4 Dec 31 2040 AffirmTrust Premium ECC
CA-auto  ce5e74ef Jan 17 2038 Amazon Root CA 1
CA-auto  6d41d539 May 26 2040 Amazon Root CA 2
CA-auto  8cb5ee0f May 26 2040 Amazon Root CA 3
CA-auto  de6d66f3 May 26 2040 Amazon Root CA 4
CA-auto  e36a6752 Dec 31 2030 Atos TrustedRoot 2011
CA-auto  3bde41ac Dec 31 2030 Autoridad de Certificacion Firmapr~l CIF A62634068
CA-auto  653b494a May 12 2025 Baltimore CyberTrust Root
CA-auto  54657681 Oct 26 2040 Buypass Class 2 Root CA
CA-auto  e8de2f56 Oct 26 2040 Buypass Class 3 Root CA
CA-auto  2ae6433e Jul 19 2042 CA Disig Root R2
CA-auto  0b1b94ef Dec 31 2029 CFCA EV ROOT
CA-auto  40547a79 Dec 31 2029 COMODO Certification Authority
CA-auto  eed8c118 Jan 18 2038 COMODO ECC Certification Authority
CA-auto  d6325660 Jan 18 2038 COMODO RSA Certification Authority
--More-- (17% of 10619 bytes)

Remove certificate by label/hash

example:/#> no cert 

Use force parameter to avoid questions:

example:/#> no cert force