.. _web_certificate_setup_options:
Web Certificate Setup Options
-----------------------------
.. index:: web;web cert
The platform installs a self-signed certificate for the web-frontend by
default. This provides encryption of the web-traffic but does not
provide users with valid authentication that the server is correct or
protect against man-in-the-middle attacks.
Two types of certificate setups are supported:
* VOSS-4-UC certificate setup
We strongly advise customers to obtain a trusted CA-signed
certificate and install it on the server. A 4096 bit RSA certificate
is generated on VOSS-4-UC systems.
Once a signed, trusted certificate is obtained from the CA,
copy it to the platform using **scp** and then install the file into the server using:
**web cert add <filename>**
For details, see: :ref:`set_up_a_web_certificate`
* Own private certificate and generated Subject Alternative Name (SAN) certificate setup
Customers can upload their own private certificate and generated SAN certificates,
in other words it is not necessary to run **web cert gen_csr** on the platform CLI.
One certificate can therefore be uploaded on all nodes. Note that
customers are then responsible for the security of their private keys.
For details, see: :ref:`own_web_certificate_setup`.
The file to upload should be in a PEM format. PEM certificates typically
have extensions like ``.pem``, ``.crt``, ``.cer`` and ``.key``.
The PEM file must have the correct form of line termination: a single "Line Feed" character.
If your PEM file was saved on MS Windows, be sure to remove the ^M characters from the file,
for example in a Linux console with:
::
$ tr -d '\r' < original.pem > fixed.pem
In the file, the SAN certificate composition has the private key first and then the certificate and
the private key should be *unencrypted* (i.e. the key header text would then not show
"``BEGIN ENCRYPTED PRIVATE KEY``").
For example:
::
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDNV1pXvjIiiWuJIABW
[...]
IeJnlBPwDJX6Yo9Q==
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIEbTCCAlUCAgPoMA0GCSqGSIb3DQEBCwUAMIGbMQswCQYDVQQGEwJaQTELM
[...]
ulfj0D54fozATLIdMZSrmImk8CfkDPkmWbIKRce729DTQwHrMG/OolZC2
-----END CERTIFICATE-----
Copy the certificate file to the platform ``media/`` directory using
**scp** and then install the file using:
**web cert add_san <filename>**
For example:
::
platform@host:~$ web cert add_san media/cert.pem
Updating the certificate requires the web server to be restarted.
Do you wish to continue? yes
Restarting nginx
platform@host:~$
.. note::
* SSO certificate management is carried out on the GUI. Refer to the GUI
documentation for details.
* |VOSS-4-UC| supports wildcards for Common names (CN) in the web browser
certificate.
* Only one certificate file can be installed on the platform. For more
details on NGINX compatible certificates see the relevant nginx
documentation here: [``http://nginx.org/en/docs/http/ngx_http_ssl_module.html``]
* Please note the importance of ensuring that SSL certificates generated
match the assigned network name of the platform.
The list of supported SSL ciphers are as follows. This list may change as
ciphers are added or found to be insecure:
* ECDHE-RSA-AES128-GCM-SHA256
* ECDHE-ECDSA-AES128-GCM-SHA256
* ECDHE-RSA-AES256-GCM-SHA384
* ECDHE-ECDSA-AES256-GCM-SHA384
* DHE-RSA-AES128-GCM-SHA256
* DHE-DSS-AES128-GCM-SHA256
* kEDH+AESGCM
* ECDHE-RSA-AES128-SHA256
* ECDHE-ECDSA-AES128-SHA256
* ECDHE-RSA-AES128-SHA
* ECDHE-ECDSA-AES128-SHA
* ECDHE-RSA-AES256-SHA384
* ECDHE-ECDSA-AES256-SHA384
* ECDHE-RSA-AES256-SHA
* ECDHE-ECDSA-AES256-SHA
* DHE-RSA-AES128-SHA256
* DHE-RSA-AES128-SHA
* DHE-DSS-AES128-SHA256
* DHE-RSA-AES256-SHA256
* DHE-DSS-AES256-SHA
* DHE-RSA-AES256-SHA
* AES128-GCM-SHA256
* AES256-GCM-SHA384
* AES128-SHA256
* AES256-SHA256
* AES128-SHA
* AES256-SHA
* AES
* CAMELLIA
.. |VOSS-4-UC| replace:: VOSS-4-UC
.. |Unified CM| replace:: Unified CM