Certificate Management: Installer-Generated Certificates

For proof of concepts and first-time installations, utilize installer-generated, self-signed certificates.

Good to Know

  • By default, installer-generated internal server certificates use the Wildcard Certificate model.

  • By default, configuration parameter use_single_client_cert=true, and generate_certs.sh generates a single shared client certificate used by all platform services for mTLS client authentication.

Prerequisites

Step 1: Generate Certificates (backend-1)

On backend-1 or single-node, run generate_certs.sh to generate and self-sign all required certificates:

cd $installer_dir/certificates/
./generate_certs.sh
cd ..

generate-certs.sh populates all required certificate files under the certificates directory and generates an archive file named kf-agilesec.internal-certs.tgz. kf-agilesec.internal-certs.tgz contains all generated certificate files as well as each node’s .env. After generation, kf-agilesec.internal-certs.tgz must be copied from backend-1 to all other nodes.

The script has the following additional option flags available. Installation options can also be found by running ./generate_certs.sh --help.

generate_certificates.sh short flag

Required

Description

-n

No

Non-interactive mode: no prompts, overwrite files.

-e <path>

No

Path to .env file. Defaults to ../.env

-v

No

Verbose mode: outputs additional console statements for debugging.

-V <directory>

No

Validation-only mode: validates existing certificates in specified directory.

Step 2: Deploy Generated Files to All Other Nodes (backend-1 to all nodes)

Copy kf-agilesec.internal-certs.tgz from backend-1 to all other nodes.

For each node, copy kf-agilesec.internal-certs.tgz to $installer_dir/certificates/.

4-Node Cluster Example

scp kf-agilesec.internal-certs.tgz <user@frontend-1 IP>:$installer_dir/certificates/
scp kf-agilesec.internal-certs.tgz <user@frontend-2 IP>:$installer_dir/certificates/
scp kf-agilesec.internal-certs.tgz <user@backend-2 IP>:$installer_dir/certificates/

Note: scp command is provided as an example. You may use any file transfer method suitable to your environment.

On each node, unarchive kf-agilesec.internal-certs.tgz to create the certificate structure:

cd $installer_dir/certificates/ 
tar zxvf kf-agilesec.internal-certs.tgz

Note: kf-agilesec.internal-certs.tgz also contains each node’s .env.

Step 3: Establish Certificate External Trust

Browsers and external clients will not trust self-signed certificates, as generated by generate_certs.sh, by default unless you import the installer CA chain into their trust stores.

Non-BYOC users must import the installer’s external server combo certificate $installer_dir/certificates/<analytics_hostname>.<analytics_domain>/agilesec-analytics-server-combo-cert-key.pem into the external browser(s) or the entire chain, including CA $installer_dir/certificates/ca/agilesec-rootca-cert.pem, into the computer(s) trust stores to establish trust.