Resilio Connect Management Console can use custom digital certificates and keys of any common format. There are two pairs utilized: one for web connections, the other for server-agent authentication.
Updating MC WebUI certificate
Updating Agents connection and events certificate
Certificate and key requirements
Custom certificate and key must comply with the following requirements to be used with Management Console:
- private key must be unencrypted;
- private key must be stripped off passphrase;
- certificate extensions must comply with "SSL Server" purpose requirements.
Most browsers require "Subject Alternative Name" extension to be present as well for HTTPS connections.
Conform to JSON syntax
Pay attention to JSON syntax when editing Console's configuraiton file for new certificate. If config file syntax is invalid your Management Console will fail to startUpdating MC WebUI certificate
Edit Management Console configuration file and add ssl
section into https
section where you can specify paths to the certificate and the key in cert
and key
values accordingly
"https": {
"ssl": {
"cert": "C:\\path\\to\\new.crt",
"key": "C:\\path\\to\\new.key"
},
"tls": {
"secureProtocol": "TLSv1_2_method",
"ciphers": [here some all chipers]
}
},
"https": {
"ssl": {
"cert": "/path/to/new.crt",
"key": "/path/to/new.key"
},
"tls": {
"secureProtocol": "TLSv1_2_method",
"ciphers": [here some all chipers]
}
},
Restart the Management Console to apply changes.
Updating Agents connection and events certificate
This certificate is used for Agents connection to MC, including the events connections. Edit MC configuration file and add two values to tls
section for peerServer
to point it to new certificate and key:
"peerServer": {
"tls": {
"cert": "C:\\path\\to\\own.crt",
"key": "C:\\path\\to\\own.key",
"secureProtocol": "TLSv1_2_method",
"ciphers": [here come all chipers]
}
},
"peerServer": {
"tls": {
"cert": "/path/to/own.crt",
"key": "/path/to/own.key",
"secureProtocol": "TLSv1_2_method",
"ciphers": [here come all chipers]
}
},
Restart the Management Console to apply changes.
Agents verify fingerprint
After updating the Agent connection certificate, all Agents will lose their connection to the Management Console. It will require that the Administrator updates the certificate's fingerprint on all Agents.Since the new certificate will have a new fingerprint, the Agents need to learn about it to keep the connection to the Management Console.
a) if the agent is connected using the configuration file, update the fingerprint in the config file. You can use this script to automate this process.
b) if an agent was connected through MC's IP address, follow the instruction below:
- in Agent UI go to Options -> General and update Management Console to any other address. Save.
- Agent will try to connect and will apparently fail to connect.
- Edit the address again and put the proper address of the Management Console. Save.
- Agent will send a request for approval, and once approved, will update the fingerprint in its settings.