Creating and Installing Custom CA-Signed Certificate

Product version: 11.1

Last modified: 29 May 2025

Question

How do I create and install a custom CA-signed certificate for Transporter?

Background

When you purchase an SSL certificate, you receive several files from a Certificate Authority (CA), including:

  • The certificate file (e.g., your_domain.crt)

  • The private key file (created during CSR generation)

  • The CA bundle (e.g., gd_bundle-g2-g1.crt)

You need to create the final certificate files required for your system:

  • certkey.pem – a combination of the certificate and private key

  • CA-Certificate.pem – a standalone file containing the CA bundle

Answer

Before NAKIVO Backup & Replication can use the Transporter, the Director needs to recognize the Transporter as secure. This process requires two certificates, one on the Director side and one on the Transporter side.

Note
The process of creating and setting up certificates requires OpenSSL package which must be installed on Linux OS.

Creating CA-signed Certificate

To create and set up a custom CA-signed certificate, do the following:

  1. Generate RSA key with the following commands:

    openssl genrsa -out rsa.key 2048

    openssl rsa -in rsa.key -noout -text

  2. Generate Certificate Signing Request (CSR) with the following commands:

    openssl req -new -key rsa.key -out rsa.csr

    openssl req -in rsa.csr -noout -text

  3. Generate CA Key and self-signed certificate with the following commands:

    openssl genrsa -out ca.key 2048

    openssl req -new -x509 -key ca.key -out ca.crt

  4. Perform the signing procedure with the following commands:

    openssl x509 -req -in rsa.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out rsa.crt

    openssl x509 -in rsa.crt -noout -text

  5. Rename rsa.crt to rsa.pem.

  6. Create a separate file that includes both key and certificate with the following command:

    cat rsa.key rsa.pem > certkey.pem

  7. Rename ca.crt to  CA-Certificate.pem.

Installing a Certificate on the Director

To install a custom CA-signed certificate created using the method described above or prepared beforehand, do the following:

  1. Copy CA-Certificate.pem certificate file to the /opt/nakivo/director/userdata folder.

    Important
    The name of the certificate file to be put in the userdata folder cannot be anything other than CA-Certificate.pem.

  2. Navigate to the /userdata folder and run the following command to set the read, modify, and run permissions:

    chmod 755 CA-Certificate.pem

  3. Restart Director Service with the following command:

    systemctl restart nkv-dirsvc

Installing a Certificate on the Transporter

  1. Replace the existing certificate file in the Transporter installation folder with the created certkey.pem.

  2. Navigate to the Transporter installation folder and run the following command to set the read, modify, and run permissions:

    chmod 755 certkey.pem

  1. Restart the Transporter Service with the following command:

    systemctl restart nkv-bhsvc