Modifying the self-signed web console certificate

You can use your company's certificate and key instead of the self-signed certificate of the web console. For example, if you want to replace self-signed CA Core certificate with a certificate issued by an enterprise CA, you must provide an external.cert and an unencrypted external.key in PEM format.

The following example shows how to replace a self-signed CA Core certificate with an enterprise certificate in PFX format. You can use the instructions as an example and adapt the steps according to your needs.

To replace the certificate of the KUMA web console with an external certificate:

  1. If you are using a certificate and key in a PFX container, use OpenSSL to convert the PFX file to a certificate and encrypted key in PEM format:

    openssl pkcs12 -in kumaWebIssuedByCorporateCA.pfx -nokeys -out external.cert

    openssl pkcs12 -in kumaWebIssuedByCorporateCA.pfx -nocerts -nodes -out external.key

    When carrying out the command, you are required to specify the PFX key password (Enter Import Password).

    As a result, the external.cert certificate and the external.key in PEM format are returned.

  2. If your external.key is not encrypted, make sure that the key has the PKCS#8 format. KUMA will not accept a key file that begins with the BEGIN RSA PRIVATE KEY tag. In this case, convert the file using the following command:

    openssl rsa -in rsa_private.key -outform PEM -out private.key

    The file produced by this command begins with the BEGIN PRIVATE KEY tag, and KUMA accepts such a key file.

  3. In the KUMA web interface, go to the Settings → Other → General → Core settings section. under External TLS pair, click Upload certificate and Upload key and upload the external.cert file and the unencrypted external.key file in PEM format.
  4. Restart KUMA:

    systemctl restart kuma-core

  5. Refresh the web page or restart the browser hosting the KUMA web interface.

Your company certificate and key have been replaced.

Page top