Server Certificates

Generate and install your server certificate for secure connections.

The server certificate ensure secure connections to Cybus Connectware and must be properly maintained to avoid security issues. Regular certificate updates are necessary following Let's Encrypt renewals through certbot or when deploying self-signed certificates in your environment.

Without proper certificate configuration, users may encounter browser security warnings when accessing the Admin UI. To establish trusted communication within enterprise networks, Connectware requires server certificates that are trusted and validated by your organization's Public Key Infrastructure (PKI).

Generating the Server Certificate

The following procedure can be performed on any system with OpenSSL installed.

All certificate and key files must be in PEM format.

  1. To define the server certificate configuration, create or modify an openssl.cnf file with the following parameters. Customize the values to match your specific environment:

[alt_names]
DNS.1 = localhost
DNS.2 = server.cybus.io
DNS.3 = *.cybus.io
DNS.4 = *.dev.cybus.io
DNS.5 = a048ffe65867e4a02b615faa014e3cdb-1179064562.cybus.io
DNS.6 = *.eu-central.cybus.io
IP.1 = 127.0.0.1
IP.2 = 192.168.178.110
IP.3 = 172.17.0.1

[req]
# Options for the `req` tool (`man req`).
default_bits        = 2048
distinguished_name  = req_distinguished_name
string_mask         = utf8only
default_md          = sha256
prompt              = no

# Extension to add when the -x509 option is used.
x509_extensions     = server_cert
extensions          = server_cert
req_extensions      = server_cert

[req_distinguished_name]
countryName              = DE
stateOrProvinceName      = HH
0.organizationName       = Acme Test 002
organizationalUnitName   = Shopfloor
commonName               = Cybus Connectware Server 1

[server_cert]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName=@alt_names
  1. To generate a new private key, run the following command:

openssl genrsa -out cybus_server.key 2048
  1. Store the cybus_server.key file in a secure location.

  2. Generate a Certificate Sign Request (CSR) using your private key:

openssl req -new -key cybus_server.key -out cybus_server.csr -config openssl.cnf
  1. Submit the CSR to your IT department or certificate authority.

  2. After receiving the signed server certificate, store the cybus_server.crt file in a secure location.

Installing the Server Certificate

All certificate and key files must be in PEM format.

Installing the Server Certificate (Kubernetes)

  1. Obtain the corporate certificate (.crt) and key (.key) files from your IT department.

  2. Copy these files to Connectware's certificate volume using the following commands:

    Replace [path-to/your-key-file.key] and [path-to/your-cert-file.crt] with the absolute paths to your key and certificate files.

    Replace [namespace] with the Kubernetes namespace that hosts your Connectware installation.

kubectl -n [namespace] cp [path-to/your-key-file.key] $(kubectl -n [namespace] get pod -lapp=system-control-server -o name | sed -e 's/pod\///g'):/connectware_certs/cybus_server.key
kubectl -n [namespace] cp [path-to/your-cert-file.crt] $(kubectl -n [namespace] get pod -lapp=system-control-server -o name | sed -e 's/pod\///g'):/connectware_certs/cybus_server.crt
  1. After updating the certificates, restart Connectware to apply the changes.

Last updated

Was this helpful?