Gateway requires TLS/SSL certificates to communicate over HTTPS networks. If no TLS/SSL certificates exist in a workspace when Gateway starts, it will automatically generate and use a new set of unique, self-signed certificates.
Since these certificates are self-signed, they're not validated by any certificate authority. If you prefer, you can instead have Gateway use your own custom TLS/SSL certificates, such as certificates signed by an appropriate authority. Custom certificates must use strong Advanced Encryption Standard protocols, such as Elliptic Curve Diffie-Hellman (ECDH) with 128 bits of keyspace. You can use custom certificates with both custom and built-in workspaces.
After upgrading to BlueCat Gateway v22.4.1 or later, you must replace any TLS/SSL certificates that use weak encryption protocols. We recommend that all certificates employed on your system use strong Advanced Encryption Standard protocols, not just those used by Gateway.
To upload certificates using the Gateway UI:
To manually install certificate files outside of Gateway:
Install the files in the following locations, relative to the workspace root:
Store the certificate's crt file as
certificates/server/gateway.crt, in PEM (Privacy-Enhanced Mail) format. This may include intermediate CA certificates. Create thecertificates/serverdirectory if it doesn't already exist.For example, if your workspace root is
/root/gwdata/customizations, store the certificate's crt file as/root/gwdata/customizations/certificates/server/gateway.crt.Store the certificate's key file for the certificate as
certificates/server/gateway.key.
Note: The certificate crt and key files must be namedgateway.crtandgateway.key, respectively-
Set read, write, and execute permissions on the custom workspace and logs folder. To do so, run the following commands:
chmod -R o=rwx chmod -R o=rwx After copying certificate files to the workspace, restart the container.