Configuring SSL certificates for proper HTTPS
On a regular Scai installation, you are able to access the web interface through a secure connection. However, the certificate generated by the default Scai installation is self-signed and it is recommended to use an SSL certificate suited for your domain.
We recommend you to use a reverse proxy/load balancer (e.g. nginx) to use your own SSL certificates with Scai. However, if this option is not feasible, follow these steps to configure Scai to use your SSL certificates.
Create a Java key store
You need to have the following files:
- your certificate file (preferably with the certificate authority chain):
fullchain.pem
- your private key:
privkey.pem
Copy these files to the machine where Scai is installed and place them under /opt/scai/data/cert/
(create the directory if it does not exist with mkdir /opt/scai/data/cert
)
Log into the Scai machine. Then:
- choose a password
- create a pkcs12 keystore:
openssl pkcs12 -export -in /opt/scai/data/cert/fullchain.pem -inkey /opt/scai/data/cert/privkey.pem -out /opt/scai/data/cert/pkcs.p12 -name scai
- you will be prompted for a password. Use the one from step 1.
- create the Java key store:
keytool -importkeystore -destkeystore /opt/scai/data/cert/scai.jks -srckeystore /opt/scai/data/cert/pkcs.p12 -srcstoretype PKCS12 -deststoretype PKCS12 -alias scai
- you will be prompted for two passwords. Use the one from step 1 for both the src and dest passwords.
Configure Scai to use the created Java key store
Now we only need to configure Scai to use the newly created key store (/opt/scai/data/cert/scai.jks
). To do so:
if you're running Scai in the cloud or running on premises with a configured systemd service (
SYSTEMD=true
was used during installation):- create a directory for storing a new configuration file for Scai's systemd service:
mkdir /lib/systemd/system/scai.service.d
- then create a file
/lib/systemd/system/scai.service.d/30-certificates.conf
- edit the file and paste the following contents, making sure you adjust the
SCAI_KEYSTORE_PASSWORD
line with the password you selected in step 1 when you created the java key store:
[Service] Environment="SCAI_KEYSTORE=/opt/scai/data/cert/scai.jks" Environment="SCAI_KEYSTORE_PASSWORD=[java_keystore_chosen_password]" Environment="SCAI_KEYSTORE_TYPE=PKCS12"
- then, reload and restart the Scai service
sudo systemctl daemon-reload && sudo systemctl restart scai
- create a directory for storing a new configuration file for Scai's systemd service:
if you're running Scai on premises without any systemd service, then just set the following environment variables before starting the Scai server:
SCAI_KEYSTORE=/opt/scai/data/cert/scai.jks
SCAI_KEYSTORE_PASSWORD=<java_keystore_chosen_password>
, make sure to use the password chosen at step 1 when creating the java key storeSCAI_KEYSTORE_TYPE=PKCS12
Scai will now be able to pick up your SSL certificates without an issue.