Using a TLS Certificate for Canary Services (version 24)
By default, Canary generates a self-signed certificate for its services that require a secure encrypted connection. This certificate, however, is not a trusted certificate. If wishing to ensure the identity of the server the user is connecting to, a trusted TLS certificate is needed.
In order to utilize a TLS certificate Canary requires that it
- Be issued by a public CA (e.g. DigiCert, GoDaddy).
- Contain a private key
- Has the desired url for its subject name
Once issued, this certificate will need installed on the server. The service which is intended to use this certificate must then be updated. This is accomplished by opening the appropriate tile within the Canary Admin client and navigating to the Configuration or Settings tab (depending on the tile) at the bottom. For example, if wishing to update Axiom's certificate information:
- Open the Axiom tile and navigate to Configuration>Endpoints.
- Under CERTIFICATE (HTTPS), select the Certificate option from the Kind drop-down menu. This will present the user with 3 parameters to fill out: the Store Name, Find Type, and Subject Name.
- Select the appropriate Store Name based upon where the certificate is installed.
- Choose the Find Type, whether you are searching by SubjectName, Thumbprint, or TemplateName.
- Enter the subject name, thumbprint, or template name value into the Subject Name field.
Once configured, the user should be able to click the 'INFO...' button and verify the details of the certificate. If the button does not appear, that indicates the service is not able to locate it, based upon the criteria provided.
7 replies
-
OK - once the Certificate is loaded and the URI added to the Axiom component, Do I need to remove the other URI? When I use the URI for the certificate, it redirects to the non-secure URI for login information, then once the log-in information is entered it redirects back to the certificate Uri. It's not clear from the steps what I am doing wrong. Can someone give me some guidence. Thanks
-
You can leave or remove the original Axiom URI. It all depends on if you want users to be able to access Axiom using the old URL.
What you probably want to do though is configure Identity to also use that same trusted certificate that Axiom is configured to use because it is still using the non-secure URI for the authentication page. -
OK - I have 2 Canary servers. I did this on both of them. One seems to work as I would expect, going to a secure sign in. But, the other server still goes to an unsecure login page. Any ideas?
-
If you click the INFO... button where the cert is configured for Identity, does it display the trusted cert? Is there any commonality between the SubjectNames of the trusted cert compared to our self-signed one? I don't recall the exact search criteria we use, but if they are similarly named, perhaps it is finding a duplicate???
-
Yes - I thought maybe the same thing, so I used the thumbprint to differentiate and still the same.
-
Actually it looks like you need to have the certificate have both the new and the old name in it for it to work since there is a redirect to the old name for the login. Adding the old name to the certificate solved the problem.
-
I may have misinterpreted your first statement when you mentioned the "URI added to the Axiom component". I believe what may have caused this is found in the Identity tile where the Redirect URI's are listed. You can add/edit/remove these as needed.
This is what I thought you were referring to. If there is a new URI you want to use, you would want to edit the "canary_axiom" application. I'm guessing your old URI is listed here.
-
Print this page