- Getting Started Configuration Accessing Your Cluster Hypervisors Maintenance Hook Scripts Troubleshooting
Custom TLS Certificate
If you don’t want to use the initial self-signed certificate, you can install your own. To do so, you need to access the container and modify the config file.
To access the container, you can either log in to our web interface and navigate to the admin console, or start an SSH session to your node and execute:
docker exec -it croit bash
Once inside the container, navigate to the config folder and update the config.yml file:
cd /config
vi config.yml
We use a small subset of possible options in our default configuration. Look for the following section:
server:
applicationConnectors:
- type: https
port: 443
keyStorePath: /config/selfsigned.pfx
keyStorePassword: insecure
keyStoreType: PKCS12
The only supported keystore type is a password-protected PKCS12 file. The password does not serve any security purpose, but is required because that's the way Java keystores work.
The majority of certificate authorities (CAs) supply certificates in the form of PEM-encoded files, not PKCS12 keystores; therefore, a conversion step is often necessary. To start, you need the following files (names commonly used by certbot are chosen as examples):
privkey.pem: the private key. The file should start with one of the following header lines:-----BEGIN PRIVATE KEY-----,-----BEGIN RSA PRIVATE KEY-----, or-----BEGIN EC PRIVATE KEY-----.cert.pem: the certificate. The file should start with a-----BEGIN CERTIFICATE-----line.chain.pem: intermediate certificates that define a path from your certificate to a trusted root CA. The certificates should chain properly. That is, your certificate should be signed by the intermediate CA that comes first in the file, whose certificate is then signed by the CA which comes next, and so on. The root CA certificate should generally not be included in the chain; the only consequence of including it is an otherwise-harmless waste of bytes.
The following command generates a correctly formatted PKCS12 keystore in the mgmt.pfx file, protected with the password "insecure":
openssl pkcs12 -export -out mgmt.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:insecure
To update your certificate, replace the keyStorePath and keyStorePassword values with your own certificate details. Ensure your certificate file is located within the /config directory. After making these changes, restart the container to apply the new configuration:
docker restart croit
This will enable the use of your custom TLS certificate for secure communications.