Separate certificate for web console

[uvtms 1]

Hello,

 

I installed the ERA and I am trying to configure it so that it's reasonably accessible.

 

It's completely fine to have agent and server certificates signed by a private CA specific to the ERA installtion. In fact, given the restrictions on certificates issued by commectial CAs it may turn out I would not be even able to obtain certificates that would allow agent installation.

 

The problem is that accessing the console does not work easily without a certificate signed by a well known authority. So what I need is an option to import certificate for remote console access which is separate from the certificates used to authenticate the server and the agents.

 

Unfortunately, I do not see this option in the ERA certificate management.

 

Edit: it is possible to set certificate just for the Tomcat server using Java certificate tool without accessing the console web interface at all. This does not seem to hinder the server operation and allows using  certificate issued by well-known CA for the console so browsers can access it easily. The certificate will be probably overwritten next time new server certificate is installed.

Edited November 20, 2015 by uvtms

[MartinK 378]

Hello,

as you already noticed, certificate used for Webconsole is unrelated to other ERA certificates managed through administration section.
Once you modify Tomcat configuration to your needs (see: hxxp://support.eset.com/kb3724/, https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Installing_a_Certificate_from_a_Certificate_Authority), it won't be affected by ERA upgrade nor any other operation performed by ERA. Even manual upgrade of Apache Tomcat installation should preserve configuration.