Installing SSL Certificate

CML includes self-signed certificates for the main web application as well as Cockpit. The TLS / SSL certificate enables CML to use HTTPS and encrypt all of the traffic between the CML server and the web browser, Breakout Tool, and other CML clients. If you wish to use a trusted CA-signed certificate instead, launch the Terminal through Cockpit (see Logging into the System Administration Cockpit).

Procedure


Execute

sudo -E -s

to get a root shell (you will need to enter sysadmin’s password).

Execute

openssl req -nodes -newkey rsa:2048 -keyout privkey.pem -out cml.csr

to generate certificate signing request (CSR) and private key. The Terminal will interactively ask you to provide required parameters.

Note

Ensure to provide an empty passphrase, otherwise the certificate will not be usable in CML.

After you provide all parameters, the command will generate two files:

  • cml.csr - you need to send the CSR to your CA to generate a certificate

Note

Ensure:

  1. CA includes the SAN (Subject alternative name) information in the certificate.

  2. The certificate is PEM-encoded.

  3. The certificate should contain three sections in the following order, each section should start with -----BEGIN CERTIFICATE----- line, and end with -----END CERTIFICATE----- line:

    • CML certificate

    • Issuer certificate

    • Root CA certificate

  • privkey.pem - ensure that the certificate will not leave the CML instance. Otherwise, the security of the certificate may be compromised.

Once you receive the certificate from the CA, copy it to the CML instance.

Open the certificate in a text editor, copy each section of the certificate including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines into a new file with .cer extension, e.g., cml.cer, issuer.cer and root.cer.

Execute

openssl x509 -inform PEM -noout -text -in cml.cer
openssl x509 -inform PEM -noout -text -in issuer.cer
openssl x509 -inform PEM -noout -text -in root.cer

to decode each file. If you are returned with an error, e.g., Could not read certificate, the specific section of the certificate may not be valid.

Execute

mv /etc/nginx/fullchain.pem /etc/nginx/fullchain.pem.bak
mv /etc/nginx/privkey.pem /etc/nginx/privkey.pem.bak
mv /etc/cockpit/ws-certs.d/0-self-signed.cert /etc/cockpit/0-self-signed.cert.bak

to make a backup of the original certificate, i.e., fullchain.pem, the original private key, i.e., privkey.pem and the cockpit original certificate pair, i.e., 0-self-signed.cert.

Copy the certificate you received from your CA into /etc/nginx/fullchain.pem.

Copy the privkey.pem which was generated in the 2nd step into /etc/nginx/privkey.pem.

Execute

cat /etc/nginx/fullchain.pem /etc/nginx/privkey.pem > /etc/cockpit/ws-certs.d/0-self-signed.cert

to create a new cockpit certificate pair.

Restart the CML instance in the Overview tab in Cockpit.