Web Certificate Setup Options¶
The platform installs a self-signed certificate for the web-frontend by default. This provides encryption of the web-traffic but does not provide users with valid authentication that the server is correct or protect against man-in-the-middle attacks.
Two types of certificate setups are supported:
VOSS Automate certificate setup
We strongly advise customers to obtain a trusted CA-signed certificate and install it on the server. A 4096 bit RSA certificate is generated on VOSS Automate systems.
Once a signed, trusted certificate is obtained from the CA, copy it to the platform using scp and then install the file into the server using:
web cert add <filename>
For details, see: VOSS Automate Setup a Web Certificate
Own private certificate and generated Subject Alternative Name (SAN) certificate setup
Customers can upload their own private certificate and generated SAN certificates, in other words it is not necessary to run web cert gen_csr on the platform CLI. One certificate can therefore be uploaded on all nodes. Note that customers are then responsible for the security of their private keys.
For details, see: Own Web Certificate Setup.
The file to upload should be in a PEM format. PEM certificates typically have extensions like
.pem
,.crt
,.cer
and.key
.The PEM file must have the correct form of line termination: a single “Line Feed” character. If your PEM file was saved on MS Windows, be sure to remove the ^M characters from the file, for example in a Linux console with:
$ tr -d '\r' < original.pem > fixed.pem
In the file, the SAN certificate composition has the private key first and then the certificate and the private key should be unencrypted (i.e. the key header text would then not show “
BEGIN ENCRYPTED PRIVATE KEY
”).For example:
-----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDNV1pXvjIiiWuJIABW [...] IeJnlBPwDJX6Yo9Q== -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIEbTCCAlUCAgPoMA0GCSqGSIb3DQEBCwUAMIGbMQswCQYDVQQGEwJaQTELM [...] ulfj0D54fozATLIdMZSrmImk8CfkDPkmWbIKRce729DTQwHrMG/OolZC2 -----END CERTIFICATE-----
Copy the certificate file to the platform
media/
directory using scp and then install the file using:web cert add_san <filename>
For example:
platform@host:~$ web cert add_san media/cert.pem Updating the certificate requires the web server to be restarted. Do you wish to continue? yes Restarting nginx platform@host:~$
Note
SSO certificate management is carried out on the GUI. Refer to the GUI documentation for details.
VOSS Automate supports wildcards for Common names (CN) in the web browser certificate.
Only one certificate file can be installed on the platform. For more details on NGINX compatible certificates see the relevant nginx documentation here: [
http://nginx.org/en/docs/http/ngx_http_ssl_module.html
]Please note the importance of ensuring that SSL certificates generated match the assigned network name of the platform.
The list of supported SSL ciphers are as follows. This list may change as ciphers are added or found to be insecure:
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-DSS-AES128-GCM-SHA256
kEDH+AESGCM
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA256
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA
DHE-RSA-AES256-SHA
AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-SHA256
AES256-SHA256
AES128-SHA
AES256-SHA
AES
CAMELLIA