Replacing Knox Self-Signed Certificate with CA Certificate

This documentation guides you through the process of replacing the Knox self-signed certificate with a Certificate Authority (CA) certificate for improved security. Follow these steps carefully to ensure a smooth transition.

Import the desired certificate/key pair into a java keystore using keytool and ensure the following:

The certificate alias is gateway-identity.
Ensure the keystore password matches the Knox master secret. If they differ, either update the keystore password to match the Knox master secret or reset the Knox master secret accordingly using step 4.
Note the key password used - as we need to create an alias for this password.

Step 1: Backup the Knox SSL Original Configuration

Before making any changes, it's essential to create a backup of the original configuration.

Bash
    
 
cd /var/lib/knox/data/security/keystores/mkdir backupmv * backup/
Copy

Step 2: Create a PKCS12 Keystore

Create a PKCS12 keystore from your private key file, certificate, and root public certificate.

Bash
    
openssl pkcs12 -export -out corp_cert_chain.pfx -inkey <private-key>.key -in <cert.cer> -certfile <root_intermediate>.cer
Copy

Step 3: Generate Knox Keystore

Copy the created PKCS12 keystore to the Knox directory and then use keytool to convert it to the required format.

Bash
    
​x
    
cp corp_cert_chain.pfx  /var/lib/knox/data/security/keystores/cd /var/lib/knox/data/security/keystores/​keytool -importkeystore  -srckeystore corp_cert_chain.pfx -srcstoretype pkcs12 -destkeystore gateway.jks -deststoretype jks -srcstorepass <src-keystore-password> -deststorepass <knox-master-secret> -srcalias <src-alias> -destalias gateway-identity -destkeypass <knox-master-secret>
Copy

Step 4: Store the keystore password in jceks file

Bash
    
 
/usr/odp/current/knox-server/bin/knoxcli.sh create-alias gateway-identity --value <knox-master-secret>
Copy

Ensure that the following permissions are set correctly:

Bash
    
 
chown knox:knox __gateway-credentials.jceks gateway.jks
Copy

Step 5: Restart Knox and Verify

Restart Knox to apply the changes, and check the Knox logs to confirm the successful replacement.

Bash
    
 
tail -f /var/log/knox/gateway.log
Copy

Regenerate Master Key. Use the same password for master key and keystore.

Step 6: Regenerate the Master Key

Regenerate the Master Key, ensuring that both the master key and keystore share the same password. If the Knox Master Key does not match the keystore password, update one of them to align with the other.

Bash
    
 
rm -rf /usr/odp/current/knox-server/data/security/masterls -l /usr/odp/current/knox-server/data/security/master​su knox/usr/odp/current/knox-server/bin/knoxcli.sh create-master --force --master <knox-master-secret>​ls -l /usr/odp/current/knox-server/data/security/masterchown knox:knox /usr/odp/current/knox-server/data/security/master
Copy

Restart the Knox Service.

Bash Script: knox_ssl.sh

This script can be used to replace the default KNOX self-signed certificate with the provided CA-signed certificate.
Download and execute this script on the Knox Server node.
Verify that the Keystore password aligns with the master secret you created earlier. The script provides an option to reset it if needed.

Last updated on Feb 27, 2025

Was this page helpful?