Configuring SSL certificates for proper HTTPS

On a regular Scai installation, you are able to access the web interface through a secure connection. However, the certificate generated by the default Scai installation is self-signed and it is recommended to use an SSL certificate suited for your domain.

We recommend you to use a reverse proxy/load balancer (e.g. nginx) to use your own SSL certificates with Scai. However, if this option is not feasible, follow these steps to configure Scai to use your SSL certificates.

Create a Java key store

You need to have the following files:

  • your certificate file (preferably with the certificate authority chain): fullchain.pem
  • your private key: privkey.pem

Copy these files to the machine where Scai is installed and place them under /opt/scai/data/cert/ (create the directory if it does not exist with mkdir /opt/scai/data/cert)

Log into the Scai machine. Then:

  1. choose a password
  2. create a pkcs12 keystore:openssl pkcs12 -export -in /opt/scai/data/cert/fullchain.pem -inkey /opt/scai/data/cert/privkey.pem -out /opt/scai/data/cert/pkcs.p12 -name scai
    • you will be prompted for a password. Use the one from step 1.
  3. create the Java key store:keytool -importkeystore -destkeystore /opt/scai/data/cert/scai.jks -srckeystore /opt/scai/data/cert/pkcs.p12 -srcstoretype PKCS12 -deststoretype PKCS12 -alias scai
    • you will be prompted for two passwords. Use the one from step 1 for both the src and dest passwords.

Configure Scai to use the created Java key store

Now we only need to configure Scai to use the newly created key store (/opt/scai/data/cert/scai.jks). To do so:

  • if you're running Scai in the cloud or running on premises with a configured systemd service (SYSTEMD=true was used during installation):

    • create a directory for storing a new configuration file for Scai's systemd service:mkdir /lib/systemd/system/scai.service.d
    • then create a file /lib/systemd/system/scai.service.d/30-certificates.conf
    • edit the file and paste the following contents, making sure you adjust the SCAI_KEYSTORE_PASSWORD line with the password you selected in step 1 when you created the java key store:
      [Service]  Environment="SCAI_KEYSTORE=/opt/scai/data/cert/scai.jks"  Environment="SCAI_KEYSTORE_PASSWORD=[java_keystore_chosen_password]"  Environment="SCAI_KEYSTORE_TYPE=PKCS12"
    • then, reload and restart the Scai service sudo systemctl daemon-reload && sudo systemctl restart scai
  • if you're running Scai on premises without any systemd service, then just set the following environment variables before starting the Scai server:

    • SCAI_KEYSTORE=/opt/scai/data/cert/scai.jks
    • SCAI_KEYSTORE_PASSWORD=<java_keystore_chosen_password>, make sure to use the password chosen at step 1 when creating the java key store
    • SCAI_KEYSTORE_TYPE=PKCS12

Scai will now be able to pick up your SSL certificates without an issue.