Web Certificate Setup Options¶
The platform installs a self-signed certificate for the web-frontend by default. This provides encryption of the web-traffic but does not provide users with valid authentication that the server is correct or protect against man-in-the-middle attacks.
Two types of certificate setups are supported:
VOSS-4-UC certificate setup
We strongly advise customers to obtain a trusted CA-signed certificate and install it on the server. A 4096 bit RSA certificate is generated on VOSS-4-UC systems.
Once a signed, trusted certificate is obtained from the CA, copy it to the platform using scp and then install the file into the server using:
web cert add <filename>
For details, see: VOSS-4-UC Setup a Web Certificate
Own private certificate and generated Subject Alternative Name (SAN) certificate setup
Customers can upload their own private certificate and generated SAN certificates, in other words it is not necessary to run web cert gen_csr on the platform CLI. One certificate can therefore be uploaded on all nodes. Note that customers are then responsible for the security of their private keys.
For details, see: Own Web Certificate Setup.
The file to upload should be in a PEM format. PEM certificates typically have extensions like
.pem
,.crt
,.cer
and.key
.The PEM file must have the correct form of line termination: a single “Line Feed” character. If your PEM file was saved on MS Windows, be sure to remove the ^M characters from the file, for example in a Linux console with:
$ tr -d '\r' < original.pem > fixed.pem
In the file, the SAN certificate composition has the private key first and then the certificate and the private key should be unencrypted (i.e. the key header text would then not show “
BEGIN ENCRYPTED PRIVATE KEY
”).For example:
-----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDNV1pXvjIiiWuJIABW [...] IeJnlBPwDJX6Yo9Q== -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIEbTCCAlUCAgPoMA0GCSqGSIb3DQEBCwUAMIGbMQswCQYDVQQGEwJaQTELM [...] ulfj0D54fozATLIdMZSrmImk8CfkDPkmWbIKRce729DTQwHrMG/OolZC2 -----END CERTIFICATE-----
Copy the certificate file to the platform
media/
directory using scp and then install the file using:web cert add_san <filename>
For example:
platform@host:~$ web cert add_san media/cert.pem Updating the certificate requires the web server to be restarted. Do you wish to continue? yes Restarting nginx platform@host:~$
Note
- SSO certificate management is carried out on the GUI. Refer to the GUI documentation for details.
- VOSS-4-UC supports wildcards for Common names (CN) in the web browser certificate.
- Only one certificate file can be installed on the platform. For more
details on NGINX compatible certificates see the relevant nginx
documentation here: [
http://nginx.org/en/docs/http/ngx_http_ssl_module.html
] - Please note the importance of ensuring that SSL certificates generated match the assigned network name of the platform.
The list of supported SSL ciphers are as follows. This list may change as ciphers are added or found to be insecure:
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES256-GCM-SHA384
- DHE-RSA-AES128-GCM-SHA256
- DHE-DSS-AES128-GCM-SHA256
- kEDH+AESGCM
- ECDHE-RSA-AES128-SHA256
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-AES128-SHA
- ECDHE-ECDSA-AES128-SHA
- ECDHE-RSA-AES256-SHA384
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES256-SHA
- ECDHE-ECDSA-AES256-SHA
- DHE-RSA-AES128-SHA256
- DHE-RSA-AES128-SHA
- DHE-DSS-AES128-SHA256
- DHE-RSA-AES256-SHA256
- DHE-DSS-AES256-SHA
- DHE-RSA-AES256-SHA
- AES128-GCM-SHA256
- AES256-GCM-SHA384
- AES128-SHA256
- AES256-SHA256
- AES128-SHA
- AES256-SHA
- AES
- CAMELLIA