Skip to content

Running Management Console with custom digital certificate

Resilio Active Everywhere Management Console can use custom digital certificates and keys of any common format. There are two pairs utilized: one for the web UI (port 8443) and the API gateway (port 8446), the other for server-agent authentication (port 8444), proxy to Management Console connections (port 1080), and events (port 8445).

Note

A custom certificate cannot be applied to Agent-to-Agent connections.

Certificate and key requirements

Custom certificate and key must comply with the following requirements to be used with Management Console:

  • The private key must be unencrypted.
  • The private key must be stripped off passphrase.
  • The private key must be generated as a .key file.
  • The certificate must be generated as a .crt file.
  • Certificate extensions must comply with "SSL Server" purpose requirements. Most browsers require "Subject Alternative Name" extension to be present as well for HTTPS connections.

Conform to JSON syntax

Pay attention to JSON syntax when editing Console's configuration file for new certificate. If the configuration file's syntax is invalid your Management Console will fail to start.

Updating Management Console web UI certificate

To apply a custom certificate for connections to the Management Console's web UI (port 8443) and the API gateway (port 8446):

  1. Edit the Management Console's configuration file and add ssl section in the https section where you can specify paths to the certificate and the key in cert and key values accordingly.

    "https": {
    "ssl": {
        "cert": "C:\\path\\to\\new.crt",
        "key": "C:\\path\\to\\new.key"
    },
    "tls": {
        "secureProtocol": [_TLS encryption method_],
        "ciphers": [_allowed ciphers_]
    }
},

    "https": {
    "ssl": {
        "cert": "/path/to/new.crt",
        "key": "/path/to/new.key"
    },
    "tls": {
        "secureProtocol": [_TLS encryption method_],
        "ciphers": [_allowed ciphers_]
    }
},

    TLS encryption method

    The secureProtocol parameter's value depends on your initially deployed version. For more information on TLS encryption settings, see Configuring TLS Encryption for Management Console.

  2. Restart the Management Console to apply changes.

Updating Agents connection and events certificate

Agents verify Management Console certificate's fingerprint

Applying a new certificate will result in Agents disconnecting from the Management Console. You will have to update the certificate's fingerprint on all Agents to re-establish connectivity between Agents and the Management Console.

To apply a custom certificate for Agents to Management Console communication (port 8444), Proxy to Management Console connections (port 1080), and events (port 8445):

  1. Edit the Management Console's configuration file and add two values to the tls section for the peerServer to point it to a new certificate and key:

    "peerServer": {
    "tls": {
        "cert": "C:\\path\\to\\own.crt",
        "key": "C:\\path\\to\\own.key",
        "secureProtocol": [_TLS encryption method_],
        "ciphers": [_list of allowed ciphers_]
    }
},

    "peerServer": {
    "tls": {
        "cert": "/path/to/own.crt",
        "key": "/path/to/own.key",
        "secureProtocol": [_TLS encryption method_],
        "ciphers": [_list of allowed ciphers_]
    }
},

    TLS encryption method

    The secureProtocol parameter's value depends on your initially deployed version. For more information on TLS encryption settings, see Configuring TLS Encryption for Management Console.

  2. Restart the Management Console to apply changes.

Since the new certificate will have a new fingerprint, the Agents need to learn about it to keep the connection to the Management Console.

  • If the Agent is connected using the configuration file, update the fingerprint in the Agent's configuration file.

    Tip

    You can use this script to automate this process.

  • If an agent was connected by providing the Management Console's IP address:

    1. In the Agent UI, navigate to Settings > General and update Management Console to any other address. Agent will try to connect and will fail.
    2. Edit the address again and put the correct address of the Management Console.
    3. Approve Agent's pending connection request.