KB Article #181857

How to change Secure Relay Master Agent (Gateway) and Router Agent (XSR) certificates

Problem

As the Secure Relay test certificates, provided by Axway as sample (that encrypt the communication between the Gateway


and Secure Relay RA), expire on November 4th 2021, below you can find details on how to change them if the new


certificates that you create will use the same name and password as the sample certificates.



Resolution

The below steps can be used if you create a new certificate chain (one CA and two user, once for Master Agent/Gateway and


one for Secure Relay RA) with the same name and same password as the sample certificates provided by Axway:



1. Gateway:


a. via Navigator:


- open the Gateway Navigator, right click on the Gateway/server name and choose configure


- access the Secure Relay section and, under Master Agent side, select the two newly created certificates, making sure that the path is correct to the new created certificates. The "Certificate file" section is for the user certificate, the "CA Certificate file" is for the CA


You can also simply rename/move the old, expired certificates, and copy the new ones, with the same name.


In this case, just make sure that the paths and certificates name are correct.


- click Apply > OK


- stop the Gateway



b. via command line:


- open a terminal/cmd window, load the Gateway profile and launch the following command (this is recommended to be done with the Gateway stopped):


peluconf standalone geta | grep xsr


and look for these two lines:


[xsr]master_cert_file=''


[xsr]ca_cert_file=''


Make sure that the paths to the new certificate files are correct. If not, you can change them using the following commands, with the Gateway stopped:


- for user certificate: peluconf standalone set -s xsr master_cert_file [path to the user certificate]


- for CA: peluconf standalone set -s xsr ca_cert_file [path to the CA certificate]



2. Secure Relay RA (Router Agent)


- stop the Secure Relay RA


- open the configuration.xml file (XSR_install_dir/SecureRelayRA/conf/)


- make sure that the lines:


<CACertificate>/path_to_CA_certificate/SecureRelayCA.pem</CACertificate>


<UserCertificate>/path_to_user_certificate/SecureRelayRouterAgent.p12</UserCertificate>


point to the correct path of the newly created certificates


You can also, as with the Master Agent (Gateway), rename/move the expired certificates and copy the new ones into the same location, using the same names.



Once all the above steps are followed, you can start the products, first one being the Secure Relay RA, followed by the Gateway.



The new certificates must comply with the following guidelines:


- names needs to be the same as with the sample certificates:


- CA: SecureRelayCA.pem


- Router Agent user certificate: SecureRelayRouterAgent.p12


- Master Agent (Gateway) user certificate: SecureRelayMasterAgent.p12


- the password needs to be "test" (test, all in lowercase letters, no punctuation signs, no special signs)


- CA: X509v3 Basic Constraints: CA:TRUE and X509v3 Key Usage: Certificate Sign.


- the user certificate (for both Secure Relay RA and MA): must have at least the following parameters: X509v3 Key Usage: Digital Signature, Key Encipherment and Key Agreement



If you do not want to keep the same name and password for the new certificates, please have a look at the following article where detailed steps are provided for generating new "*.dat" files for encrypting the new certificate's password:


https://support.axway.com/kb/181859