Server Certificates
Generate and install your server certificate for secure connections.
The server certificate ensure secure connections to Cybus Connectware and must be properly maintained to avoid security issues. Regular certificate updates are necessary following Let's Encrypt renewals through certbot
or when deploying self-signed certificates in your environment.
Without proper certificate configuration, users may encounter browser security warnings when accessing the Admin UI. To establish trusted communication within enterprise networks, Connectware requires server certificates that are trusted and validated by your organization's Public Key Infrastructure (PKI).
Generating the Server Certificate
The following procedure can be performed on any system with OpenSSL installed.
To define the server certificate configuration, create or modify an
openssl.cnf
file with the following parameters. Customize the values to match your specific environment:
[alt_names]
DNS.1 = localhost
DNS.2 = server.cybus.io
DNS.3 = *.cybus.io
DNS.4 = *.dev.cybus.io
DNS.5 = a048ffe65867e4a02b615faa014e3cdb-1179064562.cybus.io
DNS.6 = *.eu-central.cybus.io
IP.1 = 127.0.0.1
IP.2 = 192.168.178.110
IP.3 = 172.17.0.1
[req]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
default_md = sha256
prompt = no
# Extension to add when the -x509 option is used.
x509_extensions = server_cert
extensions = server_cert
req_extensions = server_cert
[req_distinguished_name]
countryName = DE
stateOrProvinceName = HH
0.organizationName = Acme Test 002
organizationalUnitName = Shopfloor
commonName = Cybus Connectware Server 1
[server_cert]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName=@alt_names
To generate a new private key, run the following command:
openssl genrsa -out cybus_server.key 2048
Store the
cybus_server.key
file in a secure location.Generate a Certificate Sign Request (CSR) using your private key:
openssl req -new -key cybus_server.key -out cybus_server.csr -config openssl.cnf
Submit the CSR to your IT department or certificate authority.
After receiving the signed server certificate, store the
cybus_server.crt
file in a secure location.
Installing the Server Certificate
Installing the Server Certificate (Kubernetes)
Obtain the corporate certificate (.crt) and key (.key) files from your IT department.
Copy these files to Connectware's certificate volume using the following commands:
Replace
[path-to/your-key-file.key]
and[path-to/your-cert-file.crt]
with the absolute paths to your key and certificate files.Replace
[namespace]
with the Kubernetes namespace that hosts your Connectware installation.
kubectl -n [namespace] cp [path-to/your-key-file.key] $(kubectl -n [namespace] get pod -lapp=system-control-server -o name | sed -e 's/pod\///g'):/connectware_certs/cybus_server.key
kubectl -n [namespace] cp [path-to/your-cert-file.crt] $(kubectl -n [namespace] get pod -lapp=system-control-server -o name | sed -e 's/pod\///g'):/connectware_certs/cybus_server.crt
After updating the certificates, restart Connectware to apply the changes.
You must also add the CA certificate to Connectware to establish the trust chain. See CA Certificates.
Last updated
Was this helpful?