Skip to content

Running Management Console with custom digital certificate

Resilio Active Everywhere Management Console can use custom digital certificates and keys of any common format. There are two pairs utilized: one for web connections, the other for server-agent authentication.

Certificate and key requirements

Custom certificate and key must comply with the following requirements to be used with Management Console:

  • The private key must be unencrypted;
  • The private key must be stripped off passphrase;
  • The private key must be generated as a .key file.
  • The certificate must be generated as a .crt file.
  • Certificate extensions must comply with "SSL Server" purpose requirements. Most browsers require "Subject Alternative Name" extension to be present as well for HTTPS connections.

Conform to JSON syntax

Pay attention to JSON syntax when editing Console's configuration file for new certificate. If the configuration file's syntax is invalid your Management Console will fail to start.

Updating MC WebUI certificate

Edit Management Console configuration file and add ssl section into https section where you can specify paths to the certificate and the key in cert and key values accordingly

"https": {  
 "ssl": {  
         "cert": "C:\\path\\to\\new.crt",   
         "key": "C:\\path\\to\\new.key"  
        },  
"tls": {  
        "secureProtocol": "TLSv1_2_method",  
        "ciphers": [_here some all chipers_]  
 }  
 },

"https": {  
 "ssl": {  
         "cert": "/path/to/new.crt",   
         "key": "/path/to/new.key"  
        },  
"tls": {  
        "secureProtocol": "TLSv1_2_method",  
        "ciphers": [_here some all chipers_]  
 }  
 },

Restart the Management Console to apply changes.

Updating Agents connection and events certificate

This certificate is used for Agents connection to MC, including the events connections. Edit MC configuration file and add two values to tls section for peerServer to point it to new certificate and key:

"peerServer": {  
    "tls": {  
        "cert": "C:\\path\\to\\own.crt",   
        "key": "C:\\path\\to\\own.key",  
        "secureProtocol": "TLSv1_2_method",  
        "ciphers": [_here come all chipers_]  
    }  
    },

"peerServer": {  
 "tls": {  
        "cert": "/path/to/own.crt",   
        "key": "/path/to/own.key",  
        "secureProtocol": "TLSv1_2_method",  
        "ciphers": [_here come all chipers_]  
 }  
 },

Restart the Management Console to apply changes.

Agents verify fingerprint

After updating the Agent connection certificate, all Agents will lose their connection to the Management Console. It will require that the Administrator updates the certificate's fingerprint on all Agents.

Since the new certificate will have a new fingerprint, the Agents need to learn about it to keep the connection to the Management Console.

  • If the Agent is connected using the configuration file, update the fingerprint in the Agent's configuration file. You can use this script to automate this process.
  • If an agent was connected through MC's IP address:
    1. In Agent UI navigate to Options > General and update Management Console to any other address, then click Save. Agent will try to connect and will fail to connect.
    2. Edit the address again and put the proper address of the Management Console, then click Save.
    3. Approve Agent's pending approval request.