- Overview
- Product Documentation
- CML 2.6 Release Notes
- CML 2.6 Installation Guide
- CML 2.6 User Guide
- CML 2.6 Admin Guide
- CML Administrator's Guide
- Cisco Modeling Labs System Overview
- System Defaults
- Creating a New Node Definition
- Custom VM Images
- Clustering
- CML Admin Tools
- System Settings
- Networking
- Resources
Installing SSL Certificate¶
CML includes self-signed certificates for the main web application as well as Cockpit. The TLS / SSL certificate enables CML to use HTTPS and encrypt all of the traffic between the CML server and the web browser, Breakout Tool, and other CML clients. If you wish to use a trusted CA-signed certificate instead, launch the Terminal through Cockpit (see Logging into the System Administration Cockpit).
Procedure
Execute
sudo -E -s
to get a root shell (you will need to enter sysadmin’s password).
Execute
openssl req -nodes -newkey rsa:2048 -keyout privkey.pem -out cml.csr
to generate certificate signing request (CSR) and private key. The Terminal will interactively ask you to provide required parameters.
Note
Ensure to provide an empty passphrase, otherwise the certificate will not be usable in CML.
After you provide all parameters, the command will generate two files:
cml.csr
- you need to send the CSR to your CA to generate a certificate
Note
Ensure:
CA includes the SAN (Subject alternative name) information in the certificate.
The certificate is PEM-encoded.
The certificate should contain three sections in the following order, each section should start with
-----BEGIN CERTIFICATE-----
line, and end with-----END CERTIFICATE-----
line:
CML certificate
Issuer certificate
Root CA certificate
privkey.pem
- ensure that the certificate will not leave the CML instance. Otherwise, the security of the certificate may be compromised.
Once you receive the certificate from the CA, copy it to the CML instance.
Open the certificate in a text editor, copy each section of the certificate including
-----BEGIN CERTIFICATE-----
and -----END CERTIFICATE-----
lines into a new
file with .cer
extension, e.g., cml.cer
, issuer.cer
and root.cer
.
Execute
openssl x509 -inform PEM -noout -text -in cml.cer
openssl x509 -inform PEM -noout -text -in issuer.cer
openssl x509 -inform PEM -noout -text -in root.cer
to decode each file. If you are returned with an error, e.g.,
Could not read certificate
, the specific section of the certificate
may not be valid.
Execute
mv /etc/nginx/fullchain.pem /etc/nginx/fullchain.pem.bak
mv /etc/nginx/privkey.pem /etc/nginx/privkey.pem.bak
mv /etc/cockpit/ws-certs.d/0-self-signed.cert /etc/cockpit/0-self-signed.cert.bak
to make a backup of the original certificate, i.e., fullchain.pem
,
the original private key, i.e., privkey.pem
and the cockpit original
certificate pair, i.e., 0-self-signed.cert
.
Copy the certificate you received from your CA into /etc/nginx/fullchain.pem
.
Copy the privkey.pem
which was generated in the 2nd step into
/etc/nginx/privkey.pem
.
Execute
cat /etc/nginx/fullchain.pem /etc/nginx/privkey.pem > /etc/cockpit/ws-certs.d/0-self-signed.cert
to create a new cockpit certificate pair.
Restart the CML instance in the Overview tab in Cockpit.