Activate SSL / TLS / HTTPS - Renew Certificates
|
Last Update: 21.05.2024 |
Prequesites
A valid local certificate must exist in the menu Certificates → Local certificates
An HTTPS Listener must be active
Upload Certificate
The certificate can be uploaded via Certificates → Local certificates using the button at the bottom left:
Import certificate via ZIP file
The easiest way to import a certificate is via a zip file.
The following should be included for a valid certificate chain:
Certificate (.crt or .pem)
CA (.crt or .pem)
Private key (only necessary for own certificates, recognizable by the .key file extension)
Intermediate certificate (.crt or .pem, if required)
Example:
Note 1: PKCS8 and PKCS1 certificate containers are supported.
Note 2: PKCS12 / PFX certificate containers are also supported. However, there may be problems with the import (usually in conjunction with Windows tools). PFX files can be imported with a tool such as XCA and the certificates can be exported individually. Then proceed as above.
Note 3: If the zip file is password-protected, please enter the password before uploading the file.
Set Alias / Note
Once the certificate has been successfully imported, it appears in the certificate overview.
Right-click on the certificate to set an alias / note with the content mycertificate. This is required for the next step.
Activate HTTPS Listener
To activate an HTTPS listener (HTTPS endpoint), it is sufficient to activate the part in hub.xml (see Adding an HTTPS listener) and then set the parameter serverCertSubjectName with the abbreviation ksnote:mycertificate. Then restart the data service.
Finally, to check whether HTTPS is active, open the data GUI in the browser using https://.
Renewing existing certificates
Existing certificates can be renewed in the same way as described above.
Let's Encrypt
Let's Encrypt automates the replacement of certificates and thus reduces the effort of having to manually replace expired certificates.
Instructions can be found here: Let's Encrypt/ACME/Certbot