Scrutinizer

Scrutinizer virtual appliances can be deployed in local hypervisors, Google Cloud Platform, or Amazon Web Services (as an AMI via the AWS Marketplace). Hardware appliances are also available upon request.

Contact Plixer Technical Support or a local reseller for availability and licensing or visit www.plixer.com to learn more.

Note

Scrutinizer virtual appliance packages are also available for download from the Plixer Customer Portal.

On this page:

Virtual appliances

Virtual appliances

Hardware appliances

Hardware appliances

Basic configuration

Basic configuration

Virtual appliances

Basic requirements for virtual appliances

Component	Minimum (for trial installations)	Recommended (for production environments)
Memory	16 GB	24 GB
Storage	100 GB	1+ TB 15K RAID 0 or 10 configuration
Processor	8 CPU cores, 2.0+ GHz	12 CPU cores, 2.0+ GHz

CPU cores and RAM based on flow rate and exporter count

Flows/s		Exporters
		5	25	50	100	200	300	400	500
5k		8 CPU cores 16 GB RAM	8 CPU cores 16 GB RAM	10 CPU cores 20 GB RAM	14 CPU cores 28 GB RAM	20 CPU cores 39 GB RAM	26 CPU cores 52 GB RAM	32 CPU cores 67 GB RAM	38 CPU cores 82 GB RAM
10k		8 CPU cores 16 GB RAM	8 CPU cores 16 GB RAM	12 CPU cores 24 GB RAM	18 CPU cores 36 GB RAM	25 CPU cores 50 GB RAM	32 CPU cores 65 GB RAM	38 CPU cores 81 GB RAM	43 CPU cores 97 GB RAM
20k		16 CPU cores 32 GB RAM	16 CPU cores 32 GB RAM	16 CPU cores 32 GB RAM	24 CPU cores 48 GB RAM	32 CPU cores 64 GB RAM	38 CPU cores 80 GB RAM	43 CPU cores 96 GB RAM	48 CPU cores 112 GB RAM
50k		32 CPU cores 64 GB RAM	32 CPU cores 64 GB RAM	32 CPU cores 64 GB RAM	32 CPU cores 64 GB RAM	39 CPU cores 80 GB RAM	44 CPU cores 96 GB RAM	48 CPU cores 112 GB RAM	52 CPU cores 128 GB RAM
75k		46 CPU cores 96 GB RAM	46 CPU cores 96 GB RAM	46 CPU cores 96 GB RAM	46 CPU cores 96 GB RAM	46 CPU cores 96 GB RAM	49 CPU cores 112 GB RAM	52 CPU cores 128 GB RAM	55 CPU cores 144 GB RAM
100k		52 CPU cores 128 GB RAM	52 CPU cores 128 GB RAM	52 CPU cores 128 GB RAM	52 CPU cores 128 GB RAM	52 CPU cores 128 GB RAM	52 CPU cores 128 GB RAM	55 CPU cores 144 GB RAM	58 CPU cores 160 GB RAM
125k		58 CPU cores 160 GB RAM	58 CPU cores 160 GB RAM	58 CPU cores 160 GB RAM	58 CPU cores 160 GB RAM	58 CPU cores 160 GB RAM	58 CPU cores 160 GB RAM	58 CPU cores 160 GB RAM	61 CPU cores 176 GB RAM
150k		64 CPU cores 192 GB RAM	64 CPU cores 192 GB RAM	64 CPU cores 192 GB RAM	64 CPU cores 192 GB RAM	64 CPU cores 192 GB RAM	64 CPU cores 192 GB RAM	64 CPU cores 192 GB RAM	64 CPU cores 192 GB RAM

Note

• In clustered virtual environments, assign a static MAC address to the Scrutinizer NIC to avoid license key issues.

• Disk sizes can be expanded to support higher flow rates after deployment. A dedicated 15k RPM RAID 10 datastore is recommended for optimal performance.

• See this guide for further sizing recommendations.

ESXi deployment

Additional requirements:

• ESXi 6.7 U2+

• VMware vSphere or vCenter

Deploying the OVF template

1. Download the latest VMware virtual appliance package from the Plixer Customer Portal.

2. Extract the contents of the package to a location on the ESXi server.

3. In vSphere or vCenter, deploy the appliance on a host using the OVF template option (this will require the OVF and VMDK files).

4. Select Thick Provision for the datastore disk format.

5. After selecting the network to be used by the virtual appliance, verify the configuration in the summary before starting the import operation.

6. After the template has been successfully imported (may take several minutes), assign a static MAC address to the Scrutinizer NIC for licensing purposes.

7. Power on the VM.

After the Scrutinizer virtual appliance completes booting, proceed with the initial appliance setup.

Note

To upgrade the virtual machine’s hardware version to the latest ESXi version, select Compatibility > Upgrade VM Compatibility in vSphere or vCenter while the VM is powered off. When the VM is powered back on after the upgrade, it will boot up with the latest ESXi hardware version available.

Expanding database size

To allocate additional storage space to the Scrutinizer database, follow these steps:

View instructions

1. Power off the Scrutinizer VM.

2. Add a new hard disk to the device.

3. Select the type of disk provisioning based on these recommendations.

4. Confirm to add the new disk.

Once the new disk has been added, power on the VM and follow this guide to make it available to Scrutinizer.

Hyper-V deployment

Additional requirements:

• Generation 2 Hyper-V VM

• Hyper-V 2012

• Hyper-V Manager

Deploying the Hyper-V virtual appliance

1. Download the latest Hyper-V virtual appliance package from the Plixer Customer Portal.

2. Extract the contents of the package to a location on the Hyper-V server.

3. In Hyper-V Manager, select the option to import a VM, and then select the Scrutinizer Hyper-V image.

4. After the image has been imported, provision the Scrutinizer VM based on the recommended sizing for the expected flow rate.

5. Select a network adapter and assign it to the appropriate virtual switch.

6. Assign a static MAC address to the VM.

7. Save the updated settings, and then start the VM.

After the Scrutinizer virtual appliance completes booting, connect to the VM and then proceed with the initial appliance setup.

Expanding database size

Depending on the volume of NetFlow data that will be forwarded to the Scrutinizer virtual appliance, it may be necessary to allocate additional storage space for its database.

To add a hard drive to the Scrutinizer virtual machine, follow these steps:

1. Power off the Scrutinizer VM.

2. In Hyper-V Manager, select the option to add a new virtual hard drive in the VM’s settings.

3. Select VHDX as the disk format (supports expansion past 2 TB).

4. Configure the other disk settings as needed.

Once the new drive has been added, power the VM on and follow this guide to make it available to Scrutinizer.

KVM deployment

Additional requirements:

• KVM 16 or higher

Deploying the KVM virtual appliance

1. Download the latest KVM virtual appliance package from the Plixer Customer Portal.

2. Create a directory for the install:

   mkdir /kvm/scrutinizer_vm/
   

3. Extract the contents of the package to the new directory:

   sudo tar xvzf PACKAGE_FILENAME.tar.gz -C /kvm/scrutinizer_vm/
   

4. Run the installation script in the new directory:

   cd /kvm/scrutinizer_vm/PACKAGE_FILENAME
   sudo ./install-kvm-scrut.sh
   

5. Wait for the confirmation that the virtual machine has been created from the image.

After the VM starts up, access the console using virsh console <VM_DOMAIN_OR_ID> to proceed with the initial appliance setup.

Proxmox deployment

Note

• When attaching the imported disk (step 6), verify that its name matches what’s displayed in the GUI.

• The syntax in the instructions below should be modified to match the actual VMID and disk names/numbers used.

Deploying the virtual appliance in Proxmox

1. Contact Plixer Technical Support and use the link they provide to download the latest VMware virtual appliance package:

   curl -k -o PACKAGE_FILENAME.tar.gz https://files.plixer.com/PACKAGE_PATH/PACKAGE_FILENAME.tar.gz
   

2. Extract the contents of the file and upload the *.vmdk file to a location that can be accessed by Proxmox on the Proxmox server (e.g., /var/lib/vz/template/).

3. Convert the VMDK disk image to a Proxmox-compatible format:

   qemu-img convert -f vmdk -O qcow2 FILENAME.vmdk Plixer_Scrutinizer.qcow2
   

4. Create a new virtual machine in Proxmox with the following configuration:

   • BIOS: OVMF (UEFI)

   • SCSI controller: VMware PVSCSI

   • Network adapter: E1000

   • CPU/memory: Recommended sizing

   • Add a new EFI disk with default sizing

5. Import the disk via the CLI:

   qm importdisk VMID /var/lib/vz/template/Plixer_Scrutinizer.qcow2 ZFS_DISK_NAME
   

   Example:

   qm importdisk 100 /var/lib/vz/template/Plixer_Scrutinizer.qcow2 local-zfs
   

6. Attach the imported disk to the virtual machine:

   qm set VMID -scsi0 local-zfs:VM_DISK_NAME
   

   Example:

   qm set 100 -scsi0 local-zfs:vm-101-disk-1
   

7. Remove/delete the unused disk (the default disk created when the VM was added in Proxmox).

8. Start the VM.

After the VM starts up, access the console to proceed with the initial appliance setup.

Nutanix deployment

Deploying the virtual appliance in Nutanix

1. Contact Plixer Technical Support and use the link they provide to download the latest VMware virtual appliance package:

   curl -k -o PACKAGE_FILENAME.tar.gz https://files.plixer.com/PACKAGE_PATH/PACKAGE_FILENAME.tar.gz
   

2. Extract the qcow2 image to a location that can be accessed by Prism Element.

3. Log in to Prism Element and upload the image (as a disk) to any storage container (except SelfServiceContainer).

4. After the image becomes active, create a new VM with the following configuration:

   • Resources: Recommended sizing (minimum of 8 cores and 16 GB RAM, fewer CPUs with more cores is recommended)

   • Boot configuration: UEFI

   • Operation: Clone from image

   • Bus type: SATA (SCSI is not recommended due to known issues with Red Hat 9 systems)

   • Image: Image/disk uploaded in step 4

   • Index: Next available

5. Add a new NIC to the VM and assign it to the desired subnet.

6. Save the VM configuration, and then power on the VM.

After the Scrutinizer virtual appliance completes booting, launch the console to proceed with the initial appliance setup.

Amazon Web Services AMI deployment

After subscribing to the service via the AWS Marketplace product page, deploy the Scrutinizer AMI by creating/launching a new EC2 instance with the following configuration:

• Names and tags: Configure the name, resource types, and optional tags for the instance.

• Application and OS images: Select the Scrutinizer AMI from the My AMIs tab.

• Instance type: Select C5.2xlarge for flow rates up to 10,000 flows per second (contact Plixer Technical Support for assistance if the expected flow volume exceeds that).

• Key pair: Select or create a new key pair to assign to the instance.

• Network settings: Select the VPC, subnet, and security group to assign the instance to.

  Important

  Because an active instance’s primary private IP address cannot be released, we recommend deploying the AMI with two NICs and using the secondary as the collection interface.

• Storage: Leave the size of the root volume (/dev/xvda/) at the default 100 GB.

• Advanced details: Set Shutdown behavior to Stop and Termination protection to Enabled.

After the instance has been launched, access the Scrutinizer web interface via the instance’s primary private or public IP address, and then proceed to add a license.

Note

• For AMI deployments, the default password for the web interface admin user is the AWS instance ID of the Scrutinizer instance, which can be copied from the Instance Summary view of the EC2 interface.

• Use the following command to SSH to the server as the plixer user after the instance has been launched:

  ssh -i PATH_TO_KEY/key.pem plixer@SCRUTINIZER_IP
  

Expanding database size

To expand the database size for a Scrutinizer AMI, create one or more additional EBS volumes in the same availability zone and attach them to the instance.

These volumes can then be made available to Scrutinizer by following this guide.

Note

set partitions (step 6 in the guide) will need to be run from the scrut_util prompt for each additional drive attached to the instance:

SCRUTINIZER> set partitions <NEW_PARTITION>

Changing instance types

Follow these steps to change the Scrutinizer instance type to increase CPU and RAM allocations:

1. SSH to the instance as the plixer user and stop all services via scrut_util:

   SCRUTINIZER> services all stop
   

2. Power off the OS:

   shutdown -h now
   

3. Stop the instance. If an Elastic IP was assigned, note the instance ID and Elastic IP address beforehand.

4. Change the instance type and restart the instance following this guide.

5. Verify that a new public DNS (IPv4), Private DNS, and Private IPs have been assigned. The Elastic IP address should also be re-assigned to the instance ID if necessary.

After the instance has been reconfigured, SSH to the Scrutinizer IP address as the plixer user and run the following scrut_util command to re-tune the system:

SCRUTINIZER> set tuning

Google Cloud Platform deployment

Additional requirements:

• A GCP project with Billing, Compute Engine, and Migrate to Virtual Machines enabled

• Permissions to create Compute Engine images, Compute Engine VM instances, and Cloud Storage buckets (if not using an existing bucket)

• A cloud storage bucket on the region intended for the VM (for staging the image)

Importing and deploying the Scrutinizer VM

1. Contact Plixer Technical Support and use the link they provide to download the latest VMware virtual appliance package:

   curl -k -o PACKAGE_FILENAME.tar.gz https://files.plixer.com/PACKAGE_PATH/PACKAGE_FILENAME.tar.gz
   

2. Extract the VMDK/image (Scrutinizer_Vmware_19.7.2-disk1.vmdk) from the file.

3. Upload the image to the staging bucket.

4. Import the image using the Migrate to Virtual Machines option with the following configuration:

   • Source: Cloud Storage

   • File: Select the uploaded VMDK

   • Operating system: RHEL 9

   This operation will create a reusable custom image and may take up to 15 minutes. The image must be successfully imported before the Scrutinizer VM can be created.

5. Create a new VM instance with the machine type most closely matching the recommended resources for the expected flow volume (n4 or c4 recommended).

6. Configure the OS and storage settings for the VM as follows:

   • Boot disk: The imported Scrutinizer image

   • Disk type: Hyperdisk Balanced (required for C4/N4 machine types)

   • Disk size: Adjust to match storage requirements (minimum of 100 GB)

7. Configure the networking settings for the VM as follows

   • Assign an external IPv4 address (ephemeral).

   • Enable HTTPS traffic through the firewall.

   • Add a network tag: scrutinizer-https.

   • Assign a hostname (optional but recommended).

8. Verify that all settings were configured correctly, and then create/launch the VM.

After the instance has been launched, connect to the VM via serial console (see below if not already enabled for the project) to proceed with the initial appliance setup.

Enabling serial console access

Serial console access (project-level setting) can be enabled for first boot validation and troubleshooting.

In the GCP console, edit the metadata settings for the Compute Engine to add the following:

• Key: serial-port-enable

• Value: true

The option to connect to the Scrutinizer VM via serial console will become available after the new key is saved.

Expanding database size

To expand the database size for a Scrutinizer appliance deployed on GCP, first add a new disk via the GCP console:

Note

A new disk can be added while the VM is running.

1. Select the option to edit the Scrutinizer VM in the GCP console.

2. Add a new disk with the following configuration.

   • Disk type: Select the same type as the boot disk.

   • Disk size: As needed

3. Save/create the new disk.

After the new disk has been added, follow this guide to make it available to Scrutinizer.

Oracle Cloud Infrastructure deployment

Additional requirements:

• A cloud storage bucket (for staging the image)

• Gateway and netmask of the OCI VNC subnet that Scrutinizer will be deployed on

Importing and deploying the Scrutinizer VM

1. Contact Plixer Technical Support and use the link they provide to download the latest VMware virtual appliance package:

   curl -k -o PACKAGE_FILENAME.tar.gz https://files.plixer.com/PACKAGE_PATH/PACKAGE_FILENAME.tar.gz
   

2. If necessary, extract the OVA (Scrutinizer_Vmware_19.7.2-bios.ova) from the file.

3. Upload the image to the storage bucket.

4. Create a new custom image by importing the uploaded file from the storage bucket with the following settings:

   • Operating system: Oracle Linux

   • Image type: VMDK

   • Launch mode: Emulated (required)

5. Create a new VM instance using the custom image and configure the following settings:

   • Select the custom image created in the previous step.

   • Select an image shape (e.g., VM.Standard.E5.Flex) and expand the CPU core count and memory allocation to match the recommended resourcing for the expected flow volume.

   • Enter a primary VNIC name (required for the Scrutinizer VM).

   • Manually assign a private IPv4 address to use as the static address for the Scrutinizer appliance (must be entered during appliance setup).

   • Add public or generated keys for SSH access.

   • Adjust the boot volume size based on these storage recommendations and keep VPU at the default value.

6. Save the instance configuration and start/launch the VM.

After obtaining the required details, SSH to the VM as the plixer user to proceed with the initial appliance setup.

Allocating additional storage

If the boot volume size defined when the VM instance was created was greater than 100 GB, make the additional storage available to Scrutinizer as follows:

Important

The steps below should be performed after the initial appliance setup has been completed.

1. SSH to the Scrutinizer VM as the plixer user and elevate to root:

   su -
   

2. Run the following and enter Fix at the prompt that follows:

   parted -l
   

3. Create a new partition:

   fdisk /dev/sda
   

   1. Enter p to verify the current partitions (sda1, sda2, and sda3).

   2. Enter n for Command, and then enter 4 for the partition number; afterwards, press Enter twice to keep the default values.

   3. Enter t for Command, 4 to select the partition, and then enter 30 to enable Linux LVM for the partition.

   4. Enter w to save the changes.

4. Restart the VM:

   reboot
   

5. Reconnect as the plixer user, elevate to root, and verify the previous changes:

   su -
   fdisk -l
   

6. Add the new partition:

   vgextend vg_scrut /dev/sda4
   

7. Allocate the storage (in excess of 100 GB) to the root and db logical volumes as needed (replace X and Y below with the desired storage allocations in GB):

   lvextend -L+XG /dev/vg_scrut/lv_db
   lvextend -L+YG /dev/vg_scrut/lv_root
   

8. Apply the changes:

   resize2fs /dev/vg_scrut/lv_db
   resize2fs /dev/vg_scrut/lv_root
   

9. Verify that the volume sizes have been expanded successfully:

   df -h | grep 'lv_'
   

When done, the additional storage will be available for use by the Scrutinizer VM/server.

Hardware appliances

Scrutinizer hardware appliances support higher collection rates due to their dedicated resources and are strongly recommended for environments with extremely high flow volumes. They are available through Plixer Technical Support.

After removing the Scrutinizer hardware appliance from its packaging, verify that all accompanying accessories (rackmount kit, appliance-locking bezel and keys, and power cord) are included. The appliance can be mounted in a standard 19-inch rack or cabinet.

Important

If your box arrives torn, dented, or otherwise damaged, the appliance itself seems damaged, or there are missing parts, contact Plixer Technical Support immediately and do not attempt to install the unit.

Hardware setup

1. Refer to the port labels to identify the ports to be used on the rear panel of the appliance:

   • iDRAC

   • Serial

   • VGA

   • USB Type-B x 2

   • 10GbE SFP x 2 (1 and 2)

   • 1GbE RJ45 x 2 (3 and 4)

   • Power supply x 2

2. Connect the power cable to one of the power supply sockets and plug the other end to a grounded AC outlet or UPS. To take advantage of the redundant PSUs, ensure that each socket is connected to an independent power source.

3. Depending on the bandwidth requirements of the environment, connect the appliance to the network using either RJ-45 or fiber optic cables. Unused ports may be left uncabled, but connecting both ports of either pair is recommended for high availability.

4. [Optional] Connect the iDRAC port to a remote access controller using an RJ-45 cable to enable remote console access for hardware management and monitoring. Contact Plixer Technical Support for help with configuring alerts for hardware-related events.

5. Using the additional ports provided, connect a monitor and keyboard to use during the appliance’s initial setup.

Once the Scrutinizer hardware appliance has been set up and cabled, proceed with the initial appliance setup.

Note

• The Ethernet port pairs are configured for adapting load balancing (bonding mode 6).

• The iDRAC virtual console can also be used for the appliance’s initial setup.

Basic configuration

After deploying and starting the appliance, follow the basic configuration steps below to prepare Scrutinizer for use.

Initial setup

After the Scrutinizer appliance completes its first boot sequence and a user logs in with the credentials plixer:plixer, it will perform a quick preliminary setup before rebooting itself.

After the reboot, log in again to start the initial setup script:

1. Provide the following information when prompted by the script:

   • Static IP address

   • Netmask

   • Gateway

   • FQDN

   • DNS IP address

   • NTP server IP address

2. Enter any additional information requested.

3. At the end of the script, press Enter and wait for the server to reboot again to apply the settings.

After the final appliance reboot, log in to the web interface at the IP address provided with the default admin:admin credentials and proceed to add a license.

Note

• The default password for the web interface admin account can be changed from the Admin > Users & Groups > User Accounts page.

• The default self-signed certificate can be replaced with a CA-signed certificate if desired.

Adding a license

To add/register a Plixer One or Scrutinizer license key, navigate to Admin > Plixer > Scrutinizer Licensing in the web interface after completing the initial appliance setup process.

A license key can be obtained by contacting Plixer Technical Support and providing them with the Machine ID displayed on the licensing page. The key should then be pasted into the License Key field and saved.

Details for the current license (validity, appliance/server counts, etc.) will be displayed on the page after a key has been added.

Configuring SSL

SSL support is automatically enabled during the initial setup process for a Scrutinizer server. A self-signed SSL certificate with default values is created at the same time.

This self-signed certificate can later be replaced with a CA-signed certificate if desired.

Note

To learn more about additional certificate-related functions, see this page.

Installing a CA-signed SSL certificate

As long as the system is set to use the self-signed SSL certificate created during the initial setup process, browsers will return an untrusted certificate warning, which users must override to access the web interface.

To avoid this, an SSL certificate that has been signed by an internal or commercial Certificate Authority (CA) will need to be installed.

Generating a custom certificate signing request (CSR)

1. SSH to the primary reporter as the plixer user:

   ssh plixer@PRIMARY_REPORTER_IP
   

2. [Optional] Create a new directory for the custom CSR, keys, and certificates:

   sudo mkdir /home/plixer/CustomCerts 
   

   This will provide a static location for storing and managing future certificates.

3. Create a CSR config/details file:

   sudo touch /home/plixer/CustomCerts/csr_config.txt
   

   Tip

   • If the details for the CSR do not change from year to year, csr_config.txt can be re-used to create a new CSR when the old certificate expires.

   • When generating a new CSR, key, and certificate, including a date in the filename will help identify the correct files in case future changes (e.g., upgrades) overwrite the existing certificate.

4. Add the details for the CSR to csr_config.txt in the following format:

   [req] 
   default_bits=2048 
   prompt=no 
   default_md=sha256 
   req_extensions=req_ext 
   distinguished_name=dn 
   
   [dn] 
   C=US 
   ST=Maine 
   L=Kennebunk 
   O=Plixer, LLC 
   OU=IT 
   emailAddress=support@plixer.com 
   CN=scrutinizer.plxr.local 
   
   [req_ext] 
   subjectAltName=@alt_names 
   
   [alt_names] 
   DNS.1=scrutinizer.plxr.local 
   

   Note

   [alt_names] is now required. To specify multiple Subject Alternative Names (SANs), use one line for each entry, with incrementing DNS numbers (DNS.2=, DNS.3=, etc.).

5. Generate the new CSR and key:

   cd /home/plixer/CustomCerts
   sudo openssl req -new -sha256 -nodes -out newRequest.csr -newkey rsa:4096 -keyout newCaKey.key -config csr_config.txt
   

The custom CSR (/home/plixer/CustomCerts/newRequest.csr) can then be sent to any preferred CA for signing.

Installing the signed certificate

Important

In some cases, Scrutinizer 19.5.x and Replicator 19.01 deployments will also have localhost.crt and localhost.key files in addition to ca.crt and ca.key. These files were generated during the deployment/upgrade process but should not be used.

The following steps will ensure that the correct certificates are in place and in use:

View instructions

1. Verify localhost.crt and localhost.key do not exist on the appliance:

   sudo ls /etc/pki/tls/certs/ 
   sudo ls /etc/pki/tls/private/ 
   

   If neither file exists, no further action is required.

2. If either of the previous commands discovers the corresponding localhost file, update the appliance to look for the correct files:

   sudo sed -i 's/localhost.crt/ca.crt/g' /etc/httpd/conf.d/ssl.conf
   sudo sed -i 's/localhost.key/ca.key/g' /etc/httpd/conf.d/ssl.conf
   sudo chmod 600 /etc/pki/tls/certs/ca.crt
   sudo chmod 600 /etc/pki/tls/private/ca.key
   sudo mv /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs.ca.crt 
   sudo mv /etc/pki/tls/private/localhost.crt /etc/pki/tls/private/ca.key 
   

3. Restart the httpd service:

   sudo systemctl restart httpd
   

After receiving the CA-signed certificate, follow these steps to install it:

1. Copy the new certificate to the /home/plixer/CustomCerts directory (or any temporary directory if CustomCerts was not previously created) on the Replicator server.

2. Backup the current CA certificate and key:

   sudo cp /etc/pki/tls/certs/ca.crt /etc/pki/tls/certs/ca.crt.bak 
   sudo cp /etc/pki/tls/private/ca.key /etc/pki/tls/private/ca.key.bak
   

3. Move the new certificate to the correct location:

   cp /home/plixer/CustomCerts/CA_CERT_FILENAME.crt /etc/pki/tls/certs/ca.crt
   

4. Move the new key generated with the CSR to the correct location:

   sudo cp /home/plixer/CustomCerts/NEW_KEY_FILENAME.key /etc/pki/tls/private/ca.key 
   

   If the CustomCerts directory was not created/used, the key can be found in the same directory the CSR was generated in.

5. Restart the nginx service (httpd on pre-v20.0.0 Replicator or pre-v19.7.0 Scrutinizer deployments):

   sudo systemctl restart nginx 
   

To verify that the web interface is using the correct SSL certificate, use a browser to navigate to the login page using the FQDN specified in the CA-signed certificate. The browser should no longer return an untrusted certificate warning and the padlock icon in the address bar should be locked instead of open.

Note

The private key may need to be encrypted with the /usr/bin/ask.sh passphrase:

openssl rsa -in server.key -out server.key.new 

Non-default CSR configurations

Certificate signing requests can also be generated with non-default configurations (stronger encryption, no email address, etc.) using the values in the csr_config.txt file in the above instructions.

After the desired configuration has been saved, continue to follow the same instructions to generate the CSR and install the CA-signed certificate.