Seite 1 von 1
					
				Replacing server SSL certificate
				Verfasst: 31 Mai 2022, 15:27
				von Taomyn
				Have installed Opsi for the first time and things are going fine so far, but I am having problems replacing the server SSL certificates with one from my local CA. I've uploaded the new cert and the key, then added the following lines to the opsiconfd.conf file but all it ever does is replace the same files with new ones generated by the Opsi CA.
Code: Alles auswählen
ssl-server-cert = /etc/opsi/ssl/kang_mydomain_com.crt
ssl-server-key = /etc/opsi/ssl/kang_mydomain_com.key
I also tried adding the following and still the same:
Code: Alles auswählen
ssl-ca-cert = /etc/opsi/ssl/CACert.crt
ssl-trusted-certs = /etc/opsi/ssl/CACert.crt
Lastly, I tried the 
 but then the service failed to load.
What's the correct procedure because this doesn't appear to be fully documented in the English documentation on-line?
 
			
					
				Re: Replacing server SSL certificate
				Verfasst: 31 Mai 2022, 16:17
				von j.schneider
				Hello,
first of all you should think twice before replacing these certificates.
The opsi ca is used to automatically create and renew certificates for opsi-servers and clients.
If you really want to manage all the certificates manually, you should set
And place the server certficate into /etc/opsi/ssl/opsiconfd-cert.pem and the private key into /etc/opsi/ssl/opsiconfd-key.pem.
Regards,
Jan Schneider
 
			
					
				Re: Replacing server SSL certificate
				Verfasst: 01 Jun 2022, 09:38
				von Taomyn
				Hi Jan,
Thanks for the prompt advice - I totally get why you would urge caution but the issue I have is that my domain is protected by HSTS which means any certificate has to be trusted by the browser or it will not load unless I use the IP address. Now I know I could just add the Opsi CA certificate to the local machine's trusted store but when I already have a CA infrastructure set up it seems that would be the better way to go. The server certificate I can replace annually myself just as I do for all my other services and the Windows clients all have their own certificate that is automatically updated by Active Directory.
Anyway, as I am still just evaluating Opsi and learning how it works I'll just add the Opsi CA certificate to my workstation and continue that way. I can revisit this again later hopefully.
BTW, is there any way to change the login prompt of the opsiconfd admin website to use a standard form for the credentials? I cannot use my browser's Bitwarden password manager extension to enter the complex credentials with the pop-up - it still surprises me that this feature has still not been deprecated in all browsers or made available to extensions to auto-fill.
Cheers,
Taomyn
			 
			
					
				Re: Replacing server SSL certificate
				Verfasst: 01 Jun 2022, 10:05
				von j.schneider
				Hi Taomyn,
please note that our opsi-client-agent can be configured to automatically import the opsi ca into the operating system certificate store.
See opsiclientd.global.install_opsi_ca_into_os_store in the documentation:
https://docs.opsi.org/opsi-docs-en/4.2/ ... ver2client
Unfortunately there is currently no other way to login into opsiconfd, but I will take that on our list.
Regards,
Jan
 
			
					
				Re: Replacing server SSL certificate
				Verfasst: 02 Jun 2022, 02:36
				von SisterOfMercy
				Taomyn hat geschrieben: ↑01 Jun 2022, 09:38
Anyway, as I am still just evaluating Opsi and learning how it works I'll just add the Opsi CA certificate to my workstation and continue that way. I can revisit this again later hopefully.
 
I'm not sure if the way opsi uses the certificates is public. I know the default way has a failsafe. You don't want to manually update the certificate on every client.