Web Certificate Setup Options

The platform installs a self-signed certificate for the web-frontend by default. This provides encryption of the web-traffic but does not provide users with valid authentication that the server is correct or protect against man-in-the-middle attacks.

Two types of certificate setups are supported:

  • VOSS-4-UC certificate setup

    We strongly advise customers to obtain a trusted CA-signed certificate and install it on the server. A 4096 bit RSA certificate is generated on VOSS-4-UC systems.

    Once a signed, trusted certificate is obtained from the CA, copy it to the platform using scp and then install the file into the server using:

    web cert add <filename>

    For details, see: VOSS-4-UC Setup a Web Certificate

  • Own private certificate and generated Subject Alternative Name (SAN) certificate setup

    Customers can upload their own private certificate and generated SAN certificates, in other words it is not necessary to run web cert gen_csr on the platform CLI. One certificate can therefore be uploaded on all nodes. Note that customers are then responsible for the security of their private keys.

    For details, see: Own Web Certificate Setup.

    The file to upload should be in a PEM format. PEM certificates typically have extensions like .pem, .crt, .cer and .key.

    The PEM file must have the correct form of line termination: a single “Line Feed” character. If your PEM file was saved on MS Windows, be sure to remove the ^M characters from the file, for example in a Linux console with: $ tr -d ‘r’ < original.pem > fixed.pem

    In the file, the SAN certificate composition has the private key first and then the certificate and the private key should be unencrypted (i.e. the key header text would then not show “BEGIN ENCRYPTED PRIVATE KEY”).

    For example:

    -----BEGIN PRIVATE KEY-----
    MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDNV1pXvjIiiWuJIABW
    [...]
    IeJnlBPwDJX6Yo9Q==
    -----END PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    MIIEbTCCAlUCAgPoMA0GCSqGSIb3DQEBCwUAMIGbMQswCQYDVQQGEwJaQTELM
    [...]
    ulfj0D54fozATLIdMZSrmImk8CfkDPkmWbIKRce729DTQwHrMG/OolZC2
    -----END CERTIFICATE-----
    

    Copy the certificate file to the platform media/ directory using scp and then install the file using:

    web cert add_san <filename>

    For example:

    platform@host:~$ web cert add_san media/cert.pem
    Updating the certificate requires the web server to be restarted.
    Do you wish to continue? yes
    Restarting nginx
    platform@host:~$
    

Note

  • SSO certificate management is carried out on the GUI. Refer to the GUI documentation for details.
  • VOSS-4-UC supports wildcards for Common names (CN) in the web browser certificate.
  • Only one certificate file can be installed on the platform. For more details on NGINX compatible certificates see the relevant nginx documentation here: [http://nginx.org/en/docs/http/ngx_http_ssl_module.html]
  • Please note the importance of ensuring that SSL certificates generated match the assigned network name of the platform.

The list of supported SSL ciphers are as follows. This list may change as ciphers are added or found to be insecure:

  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • DHE-RSA-AES128-GCM-SHA256
  • DHE-DSS-AES128-GCM-SHA256
  • kEDH+AESGCM
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA
  • ECDHE-ECDSA-AES128-SHA
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA
  • ECDHE-ECDSA-AES256-SHA
  • DHE-RSA-AES128-SHA256
  • DHE-RSA-AES128-SHA
  • DHE-DSS-AES128-SHA256
  • DHE-RSA-AES256-SHA256
  • DHE-DSS-AES256-SHA
  • DHE-RSA-AES256-SHA
  • AES128-GCM-SHA256
  • AES256-GCM-SHA384
  • AES128-SHA256
  • AES256-SHA256
  • AES128-SHA
  • AES256-SHA
  • AES
  • CAMELLIA