Certificates

Hub management service uses a web server to provide the web user interface. By default, the web server uses a self-signed certificate which can be replaced with a certificate signed by a trusted certificate authority.

Replacing self-signed certificate

The Hub allows replacing the self-signed certificate by generating a certificate signing request (CSR) or by uploading the certificate with the private key.

The system will attempt to load the uploaded certificate and private key right away. If the new certificate is not reflected, the Hub server will need to be restarted. See Restarting a service for more information.

The generated certificate must contain the fully qualified domain name (FQDN) of the Hub server in the Subject Alternative Name (SAN) field.

Replace using CSR

The following steps will replace the self-signed certificate using CSR generated by the Hub.

  1. Access the Hub web interface using fully qualified domain name (FQDN). This is important when download the CSR file in the next step.

  2. Navigate to the Certificates page.

  3. Click the More button and select Upload Certificate from External CA.

  4. Select External CA will sign your certificate request (CSR).

  5. Click the Download button to download the CSR file.

  6. Mint the CSR using the trusted certificate authority.

  7. Upload the signed certificate and CA certificate.

  8. Click the Apply button.

Upload certificate and private key

The following steps will replace the self-signed certificate using existing certificate and a private key generated by the trusted certificate authority.

Before you begin ensure you already have a certificate and a private key files meeting the following prerequisites.

Prerequisites

  • Certificate file

    • Must be in PEM format

    • Must contain the fully qualified domain name (FQDN) of the Hub server in the Subject Alternative Name (SAN) field

  • Private key file

    • Must be in PEM format

    • Must be RSA OR ECDSA

    • Must not be encrypted

  • CA certificate file

    • Must be in PEM format

Uploading

  1. Navigate to the Certificates page.

  2. Click the More button and select Upload Certificate from External CA.

  3. Select Upload a private key with signed certificate and CA.

  4. Upload the signed certificate, private key, and CA certificate files.

  5. Click the Apply button.