Hi Flavio,

At first I tried to reboot the service but it doesn't work and then I tried to reboot the machine but still doesn't work neither

Hi

 If you created manually any directory, make sure you gave permissions.

-If I helped you somehow, please, rate it as useful.-

I use this command to install the cetificate,

cmxctl node sslmode enable --pem /opt/haproxy/ssl/newcert/localhost.pem

is this correct then I restart service or reboot the machine 

I don´t know if you follow any guide but I think there´s something missing on your command:

On this Guide , the command looks like this:

cmxctl node sslmode enable --pem /home/cmxadmin/cert.pem --key /home/cmxadmin/host.key

This is shown on the section "Importing Certificates". Then you have the section "install Self-signed Certificate" and "Install Third Party certificate".

-If I helped you somehow, please, rate it as useful.-

I tried to follow this document

https://www.cisco.com/c/en/us/td/docs/wireless/mse/10-3/cmx_config/b_cg_cmx103/getting_started_with_cisco_cmx.html#id_25556

but it showing error like it has different key but if you check it is the same key

maybe i did not correctly configure for CSR, can you provide what command should be to generate a CSR?

Are you using Self-signed certificate?  Did you use Openssl?

-If I helped you somehow, please, rate it as useful.-

I am a bit new in linux, i did use openssl to generate the CSR but i am not sure if that is the correct way to generate csr in CMX.

This is not something we do frequently so I´d go with a guide as well.  There are tons of guide for this subject. For example this one:

https://www.akadia.com/services/ssh_test_certificate.html

-If I helped you somehow, please, rate it as useful.-

Hi There!

I've just found this as I was running into the same issue - I've done this one two lab nodes and here is the process I used to get it working:

Login to CMX CLI

Generate the CSR (you can also do this in openssl within windows or other OS to get SAN certs)

openssl req -nodes -days 365 -newkey rsa:2048 -keyout /home/cmxadmin/private.key -out /home/cmxadmin/cert.crt

CAT the cert.crt to see the certificate signing request

Cat cert.crt

---begin certificate signing request---

Blah

---end certificate signing request---

Upload to CA for signing (I was using the MS CA in our lab)

Then you can CAT the private key (or open in notepad depending on where you did this)

Combine the Private Key, signed cert, then any intermediate and root certs and save as a pem file - you can do this in notepad (or other plaintext editor) and then SCP it onto CMX, or you can can run vim directly on CMX to create the file and paste the content in.

It should look similar to this:

---begin private key---

Blah

---end private key---

---begin certificate---

Cmx signed certificate

---end certificate---

---begin certificate---

Intermedia root certificate (if applicable)

---end certificate---

---begin certificate---

root certificate

---end certificate---

The private key and the pem file (containing the key) should be in the /home/cmxadmin/ folder.

Use CLI, change to the above folder and then do an ls -l    -  you should see the owner as cmxadmin you will need to chmod the permissions of the pem and the key files

Chmod 644 private.key

Chmod 644 cert.pem

Which makes them read-only

Verify the cert:

openssl verify -CAfile /home/cmxadmin/cert.pem /home/cmxadmin/cert.pem

You should see an "OK" message

Then, execute:

cmxctl node sslmode enable --pem /home/cmxadmin/cert.pem --key /home/cmxadmin/private.key

You should see ssl enabled

Restart the agent and ha proxy:

Cmxctl restart agent

Cmxctl restart proxy

Once restarted check the web server is using the expected certificate. (ensure that your root cert is trusted by the browser or API keystore)