0

Using a TLS Certificate for Canary Services (version 24)

By default, Canary generates a self-signed certificate for its services that require a secure encrypted connection. This certificate, however, is not a trusted certificate. If wishing to ensure the identity of the server the user is connecting to, a trusted TLS certificate is needed.

In order to utilize a TLS certificate Canary requires that it

  • Be issued by a public CA (e.g. DigiCert, GoDaddy).
  • Contain a private key
  • Has the desired url for its subject name

Once issued, this certificate will need installed on the server. The service which is intended to use this certificate must then be updated. This is accomplished by opening the appropriate tile within the Canary Admin client and navigating to the Configuration or Settings tab (depending on the tile) at the bottom. For example, if wishing to update Axiom's certificate information:

  1. Open the Axiom tile and navigate to Configuration>Endpoints.
  2. Under CERTIFICATE (HTTPS), select the Certificate option from the Kind drop-down menu. This will present the user with 3 parameters to fill out: the Store Name, Find Type, and Subject Name.

  3. Select the appropriate Store Name based upon where the certificate is installed.
  4. Choose the Find Type, whether you are searching by SubjectName, Thumbprint, or TemplateName.
  5. Enter the subject name, thumbprint, or template name value into the Subject Name field.

Once configured, the user should be able to click the 'INFO...' button and verify the details of the certificate. If the button does not appear, that indicates the service is not able to locate it, based upon the criteria provided.

2 replies

null
    • erice
    • 12 hrs ago
    • Reported - view

    OK - once the Certificate is loaded and the URI added to the Axiom component, Do I need to remove the other URI? When I use the URI for the certificate, it redirects to the non-secure URI for login information, then once the log-in information is entered it redirects back to the certificate Uri. It's not clear from the steps what I am doing wrong. Can someone give me some guidence. Thanks

      • smason
      • 11 hrs ago
      • Reported - view

      You can leave or remove the original Axiom URI. It all depends on if you want users to be able to access Axiom using the old URL.

      What you probably want to do though is configure Identity to also use that same trusted certificate that Axiom is configured to use because it is still using the non-secure URI for the authentication page.