The instructions in this article utilize a ThousandEyes Virtual Appliance (TEVA) for demonstration purposes only. TEVAs are locked and permit only a subset of privileged commands to be run. Please use the guidance below for creating a self-signed certificate on a separate system, which can then be uploaded to your TEVA. 

Welcome to another article in our series about ThousandEyes!

ThousandEyes is a powerful SaaS platform that gives a digital picture of enterprise infrastructure, formed by test views, alerts, dashboards, and other components. The ThousandEyes platform uses vantage points, called Enterprise Agents (EAs), running on a Linux platform to execute the tests. In other words, an Enterprise Agent is a Linux machine that is either fully or partially controlled by the user. One of the installation types is a “Virtual Appliance” or "VA" - a virtual machine providing a pre-installed agent running Ubuntu Linux. The virtual appliance contains a web-based management console to configure various settings. Further details about ThousandEyes Enterprise Agents can be found in our official documentation.

A web-based management console refers to controlling the system through an internet browser – Chrome, Firefox, etc. -  which uses SSL-secured communication. An SSL certificate is needed to encrypt data transmitted between a user's browser and an Enterprise Agent web interface. Since an SSL certificate is typically issued for a limited period, it may need to be renewed upon expiration.

This article will describe how to re-issue an SSL certificate simply and in as few steps as possible.

Disclaimer: This article does not cover the following foundational information

• What is the purpose of SSL?
• What is a self-signed certificate and why do we use those on private devices?
• What are CSR, private, and public keys?
• Why web browsers do not like self-signed certificates and how to bypass this.

Baseline:

• Lab security appliance: ThousandEyes Raspberry PI, IP 192.168.100.8
• SSL certificate before changes: issued on 21 July 24, valid till 21 July 2025:

 Let’s define the steps of how to renew an SSL certificate:

1. Review current data: existing certificate and key.
2. Generate a certificate signing request (CSR): needed to obtain a valid server certificate from a CA.
3. Create a new self-signed certificate.
4. Replace the old certificate and key with newly created ones.
5. Restart Nginx.

It is worth mentioning that step [2] will result in a new key creation, so in step we can either use the existing on a new key.

Alright, let’s get started!

1. Reviewing current data.

First, let's start by looking at the current certificate and key storage. To do this, we need to connect to the command line of the Appliance and check the folder teva:

$ sudo ls -l /etc/ssl/private/teva
total 8
-rw------- 1 root root 1854 Jul 21 13:59 teva.crt
-rw------- 1 root root 3272 Jul 21 14:00 teva.key

As we can see, the main files here are the .key and .cert files. If we check their creation dates, we will see that they exactly match what is displayed in the web browser when we connect to the device and under Appliance UI – SSL Settings.

 As we mentioned earlier, to create a new certificate or update an existing one, we can use the existing .key file. In our scenario, we will use a new key.

2. Generating CSR.

a) Log on to the device via the web. In our scenario, we use the URL: https://192.168.100.8

b) Click on the ThousandEyes Virtual Appliance logo in the left-upper corner. An extended left-hand menu will appear.

c) Navigate to “SSL Settings”, scroll down to the section "Generate CSR", fill in mandatory fields (CN, CC, State, Locality, Org), and click "Create CSR" button:

Once the CSR is generated, you will see its data on the right.

At this point, we can log out and close the browser. 

Let’s move to CLI. Now, if we check the certificate and key storage, we will find a new folder named request:

with a new key, CSR, and its text version:

$ sudo ls -l /etc/ssl/private/teva/request
total 12
-rw-r--r-- 1 root root 142 Jul 25 15:38 csr_details.txt
-rw-r--r-- 1 root root 1679 Jul 25 15:38 ole.te.local.csr
-rw------- 1 root root 3272 Jul 25 15:38 ole.te.local.key

3. Creating a new self-signed certificate.

Let’s move to CLI and do:

If there are no mistakes (for example, filenames are correct) – it should finish with this output:

Signature ok
subject=CN = ole.te.local, C = PL, ST = MLP, L = Krakow, O = ThousandEyes
Getting Private key

Checking files again:

$ sudo ls -l
total 16
-rw-r--r-- 1 root root 142 Jul 25 15:38 csr_details.txt
-rw------- 1 root root 1874 Jul 25 15:56 ole-july25.crt
-rw-r--r-- 1 root root 1679 Jul 25 15:38 ole.te.local.csr
-rw------- 1 root root 3272 Jul 25 15:38 ole.te.local.key

ole-july25.crt – this is a new certificate.

4. Replacing the old certificate and key with new ones.

With our new credentials in hand, our next step is to replace the old key and certificate with the new files.

Best Practice: For safety, consider backing up the existing key and .crt files (this ensures we can roll back if something goes wrong):

cp ./teva.* /var/backup/

5. Restart Nginx

The final step is to restart Nginx to begin using the new certificate:

# systemctl restart nginx

Let’s open a new browser session and access Appliance (https://192.168.100.8):

:

We can see the certificate is re-issued with new parameters, including dates, CN, and Organization!

If you run into any issues renewing a self-signing certificate and are an existing customer (or use a trial license of ThousandEyes) - you can always contact our expert engineers and get almost instant support using ThousandEyes chat.

Other useful ThousandEyes & knowledge resources:

• Main web page: thousandeyes.com
• Installing CA Certificates on Enterprise Agents
• ThousandEyes Application page
• Official Ubuntu documentation covering certificates