Installing a Server Authentication Certificate

Issuing a Certificate Request (PKCS#10)

Access the server through SSH with an account with administrative privileges;

Start the Stream configuration utility by running:

# /opt/stream/sbin/stream-config

In the main menu, select 'NGINX':

NGINX Config Menu

In the NGINX menu, select 'CSR':

NGINX CSR Menu

Specify the DNS Name of the Stream server (the same that you used as Stream hostname previously):

Specify Hostname

The certificate request is generated and available under '/etc/nginx/ssl/stream.csr.new':

CSR generated

Signing the server certificate

Signing using an existing PKI

If you desire to sign your Stream web server certificate using an existing PKI, you need to provide your certificate authority with the '/etc/nginx/ssl/stream.csr.new' file that was generated at the previous step. You will then need to upload the signed certificate via SCP under '/tmp/stream.crt' (PEM and DER formats are supported).

Self-signing the certificate

If you plan on using the Stream PKI to manage the Stream web server certificate, you must self-sign it for configuration purposes, then refer to the administration guide to replace it later on.

To self-sign it using openssl, run the following commands:

# cd /etc/nginx/ssl
# openssl x509 -req -days 365 -in stream.csr.new -signkey stream.key.new -sha256 -out /tmp/stream.crt

Installing the Server Certificate

Upload the signed server certificate (in PEM format) on the Stream server under '/tmp/server.crt' through SCP;

Access the server through SSH with an account with administrative privileges;

Start the Stream configuration utility by running:

# /opt/stream/sbin/stream-config

In the NGINX configuration menu, select 'CRT':

CRT menu

Specify the path '/tmp/stream.crt' and validate:

CRT path

The server certificate is successfully installed:

CRT installed

Installing the Server Certificate Trust Chain

You must follow this section only if you signed the server certificate with an existing PKI. If you self-signed the server certificate, you do not need to follow this step.

Upload the server certificate trust chain (the concatenation of the Certificate Authority certificates in PEM format) on the Stream server under '/tmp/server.bundle' through SCP;

Access the server through SSH with an account with administrative privileges;

Start the Stream configuration utility by running:

# /opt/stream/sbin/stream-config

In the NGINX configuration menu, select 'TC':

TC menu

Specify the path '/tmp/server.bundle' and validate:

TC path

The server bundle is successfully installed:

TC installed

Verify the NGINX configuration with the following command:

# nginx -t

Restart the NGINX service with the following command:

# systemctl restart nginx