Setting up custom SSL certificates for HTTPS connections - Platform - BlueCat Gateway - 24.1

Gateway Administration Guide

Product name
BlueCat Gateway

Gateway requires TLS/SSL certificates to communicate over HTTPS networks. If no TLS/SSL certificates exist in a workspace when Gateway starts, it will automatically generate and use a new set of unique, self-signed certificates.

Since these certificates are self-signed, they're not validated by any certificate authority. If you prefer, you can instead have Gateway use your own custom TLS/SSL certificates, such as certificates signed by an appropriate authority. Custom certificates must use strong Advanced Encryption Standard protocols, such as Elliptic Curve Diffie-Hellman (ECDH) with 128 bits of keyspace. You can use custom certificates with both custom and built-in workspaces.

Warning: As of v22.4.1, Gateway now restricts TLS/SSL security certificates to those using strong protocols and encryption ciphers. Certificates that use static key ciphers, cipher block chaining (CBC), or other weak protocols that are vulnerable to known decryption attacks will be rejected.

After upgrading to BlueCat Gateway v22.4.1 or later, you must replace any TLS/SSL certificates that use weak encryption protocols. We recommend that all certificates employed on your system use strong Advanced Encryption Standard protocols, not just those used by Gateway.

To upload certificates using the Gateway UI:

To manually install certificate files outside of Gateway:

  1. Install the files in the following locations, relative to the workspace root:

    • Store the certificate's crt file as certificates/server/gateway.crt, in PEM (Privacy-Enhanced Mail) format. This may include intermediate CA certificates. Create the certificates/server directory if it doesn't already exist.

      For example, if your workspace root is /root/gwdata/customizations, store the certificate's crt file as /root/gwdata/customizations/certificates/server/gateway.crt.

    • Store the certificate's key file for the certificate as certificates/server/gateway.key.

    Note: The certificate crt and key files must be named gateway.crt and gateway.key, respectively
  2. After copying certificate files to the workspace, restart the container.