Using custom SSL certificates for the policy console

For policy consoles newer than 3.22.4, follow these steps to use a custom SSL certificate.

Step-by-step guide

UI

To use a custom certificate for the console UI, follow these steps on your console host:

  1. If you already have a custom certificate, copy your SSL certificate to /etc/policy-console.crt, and the key to /etc/policy-console.key. Skip to step 2.

    To create a new openssl cert and key, run this command, providing the required input. For CN, use your hostname/IP:

    openssl req \
    -newkey rsa:2048 \
    -x509 \
    -keyout /etc/policy-console.key \
    -out /etc/policy-console.crt \
    -days 3650 \
    -nodes -sha256
  2. Reboot the console to pick up the new certificate:

    sudo service policy-console reboot

To validate the certificate, run this command:

openssl s_client -showcerts -connect localhost:443


REST API

To use a custom keystore for the console REST API, follow these steps on your console host:

  1. If you already have a custom keystore, copy it to /etc/policy-console.keystore . Skip to step 2.

    To create your custom keystore, run this command, using the keystore password as the key password.

    sudo keytool -genkey \
     -keyalg RSA \
     -validity 360 \
     -keysize 2048 \
     -alias policyConsole \
     -keystore /etc/policy-console.keystore
  2. Edit the /etc/policy-console-${RELEASE}.env file and add the following line, with your keystore password:

    KEYSTORE_PASS=<insert keystore password from step one>

    Note that  no  quotes (single/double) are required around the password

  3. Reboot the console to pick up the new certificate:

    sudo service policy-console reboot

To validate the certificate used by the API, run this command:

openssl s_client -showcerts -connect localhost:8443