.. _web_certificate_setup_options: Web Certificate Setup Options ----------------------------- .. index:: web;web cert The platform installs a self-signed certificate for the web-frontend by default. This provides encryption of the web-traffic but does not provide users with valid authentication that the server is correct or protect against man-in-the-middle attacks. Two types of certificate setups are supported: * VOSS Automate certificate setup We strongly advise customers to obtain a trusted CA-signed certificate and install it on the server. A 4096 bit RSA certificate is generated on VOSS Automate systems. Once a signed, trusted certificate is obtained from the CA, copy it to the platform using **scp** and then install the file into the server using: **web cert add ** For details, see: :ref:`set_up_a_web_certificate` * Own private certificate and generated Subject Alternative Name (SAN) certificate setup Customers can upload their own private certificate and generated SAN certificates, in other words it is not necessary to run **web cert gen_csr** on the platform CLI. One certificate can therefore be uploaded on all nodes. Note that customers are then responsible for the security of their private keys. For details, see: :ref:`own_web_certificate_setup`. The file to upload should be in a PEM format. PEM certificates typically have extensions like ``.pem``, ``.crt``, ``.cer`` and ``.key``. The PEM file must have the correct form of line termination: a single "Line Feed" character. If your PEM file was saved on MS Windows, be sure to remove the ^M characters from the file, for example in a Linux console with: :: $ tr -d '\r' < original.pem > fixed.pem In the file, the SAN certificate composition has the private key first and then the certificate and the private key should be *unencrypted* (i.e. the key header text would then not show "``BEGIN ENCRYPTED PRIVATE KEY``"). For example: :: -----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDNV1pXvjIiiWuJIABW [...] IeJnlBPwDJX6Yo9Q== -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIEbTCCAlUCAgPoMA0GCSqGSIb3DQEBCwUAMIGbMQswCQYDVQQGEwJaQTELM [...] ulfj0D54fozATLIdMZSrmImk8CfkDPkmWbIKRce729DTQwHrMG/OolZC2 -----END CERTIFICATE----- Copy the certificate file to the platform ``media/`` directory using **scp** and then install the file using: **web cert add_san ** For example: :: platform@host:~$ web cert add_san media/cert.pem Updating the certificate requires the web server to be restarted. Do you wish to continue? yes Restarting nginx platform@host:~$ .. note:: * SSO certificate management is carried out on the GUI. Refer to the GUI documentation for details. * |VOSS Automate| supports wildcards for Common names (CN) in the web browser certificate. * Only one certificate file can be installed on the platform. For more details on NGINX compatible certificates see the relevant nginx documentation here: [``http://nginx.org/en/docs/http/ngx_http_ssl_module.html``] * Please note the importance of ensuring that SSL certificates generated match the assigned network name of the platform. The list of supported SSL ciphers are as follows. This list may change as ciphers are added or found to be insecure: * ECDHE-RSA-AES128-GCM-SHA256 * ECDHE-ECDSA-AES128-GCM-SHA256 * ECDHE-RSA-AES256-GCM-SHA384 * ECDHE-ECDSA-AES256-GCM-SHA384 * DHE-RSA-AES128-GCM-SHA256 * DHE-DSS-AES128-GCM-SHA256 * kEDH+AESGCM * ECDHE-RSA-AES128-SHA256 * ECDHE-ECDSA-AES128-SHA256 * ECDHE-RSA-AES128-SHA * ECDHE-ECDSA-AES128-SHA * ECDHE-RSA-AES256-SHA384 * ECDHE-ECDSA-AES256-SHA384 * ECDHE-RSA-AES256-SHA * ECDHE-ECDSA-AES256-SHA * DHE-RSA-AES128-SHA256 * DHE-RSA-AES128-SHA * DHE-DSS-AES128-SHA256 * DHE-RSA-AES256-SHA256 * DHE-DSS-AES256-SHA * DHE-RSA-AES256-SHA * AES128-GCM-SHA256 * AES256-GCM-SHA384 * AES128-SHA256 * AES256-SHA256 * AES128-SHA * AES256-SHA * AES * CAMELLIA .. |VOSS Automate| replace:: VOSS Automate .. |Unified CM| replace:: Unified CM