CA-Signed Server Certificates

By default, FMOS provides a self-signed certificate for HTTPS communication. This certificate can be replaced using the fmos pki import-server-cert command. This command will overwrite the existing certificate and private key files:

fmos pki import-server-cert server.cer server.key

If the replacement certificate is signed by an intermediate certificate authority, the --chain argument can be used to specify the path to a file containing the intermediate CA certificates that should be sent along with the server certificate:

fmos pki import-server-cert server.cer server.key --chain server-chain.crt

This command supports certificate and private key files in PEM (base-64), DER (binary) and PKCS#12 formats. If the private key and certificate are stored in the same file (in PEM or PKCS#12 formats only), they will be separated automatically:

fmos pki import-server-cert server.p12

After replacing the server certificate, the changes will be applied automatically. No services need to be restarted for the changes to take effect.

Note: FMOS will automatically renew the self-signed certificates it creates when they expire, but it will not do so for CA-signed certificates.

Repeat for any intermediate CA and root CA.