For proof of concepts and first-time installations, utilize installer-generated, self-signed certificates.
Good to Know
-
By default, installer-generated internal server certificates use the Wildcard Certificate model.
-
By default, configuration parameter
use_single_client_cert=true, andgenerate_certs.shgenerates a single shared client certificate used by all platform services for mTLS client authentication.
Prerequisites
-
.envmust exist prior to generating certificates. See instructions in Linux AgileSec Installation guides for more details.
Step 1: Generate Certificates (backend-1)
On backend-1 or single-node, run generate_certs.sh to generate and self-sign all required certificates:
cd $installer_dir/certificates/
./generate_certs.sh
cd ..
generate-certs.sh populates all required certificate files under the certificates directory and generates an archive file named kf-agilesec.internal-certs.tgz. kf-agilesec.internal-certs.tgz contains all generated certificate files as well as each node’s .env. After generation, kf-agilesec.internal-certs.tgz must be copied from backend-1 to all other nodes.
The script has the following additional option flags available. Installation options can also be found by running ./generate_certs.sh --help.
|
generate_certificates.sh short flag |
Required |
Description |
|---|---|---|
|
|
No |
Non-interactive mode: no prompts, overwrite files. |
|
|
No |
Path to .env file. Defaults to |
|
|
No |
Verbose mode: outputs additional console statements for debugging. |
|
|
No |
Validation-only mode: validates existing certificates in specified directory. |
Step 2: Deploy Generated Files to All Other Nodes (backend-1 to all nodes)
Copy kf-agilesec.internal-certs.tgz from backend-1 to all other nodes.
For each node, copy kf-agilesec.internal-certs.tgz to $installer_dir/certificates/.
4-Node Cluster Example
scp kf-agilesec.internal-certs.tgz <user@frontend-1 IP>:$installer_dir/certificates/
scp kf-agilesec.internal-certs.tgz <user@frontend-2 IP>:$installer_dir/certificates/
scp kf-agilesec.internal-certs.tgz <user@backend-2 IP>:$installer_dir/certificates/
Note: scp command is provided as an example. You may use any file transfer method suitable to your environment.
On each node, unarchive kf-agilesec.internal-certs.tgz to create the certificate structure:
cd $installer_dir/certificates/
tar zxvf kf-agilesec.internal-certs.tgz
Note: kf-agilesec.internal-certs.tgz also contains each node’s .env.
Step 3: Establish Certificate External Trust
Browsers and external clients will not trust self-signed certificates, as generated by generate_certs.sh, by default unless you import the installer CA chain into their trust stores.
Non-BYOC users must import the installer’s external server combo certificate $installer_dir/certificates/<analytics_hostname>.<analytics_domain>/agilesec-analytics-server-combo-cert-key.pem into the external browser(s) or the entire chain, including CA $installer_dir/certificates/ca/agilesec-rootca-cert.pem, into the computer(s) trust stores to establish trust.