Managing keystores for multiple servers (SSL)

I’m trying to understand what options I have to manage in a more central manner the certificates/ certificate store for HTTPS communication between clients and the gateways.
Is there a way to configure the gateways to use a specific keystore or server alias ?
We’re using an AD environment and have our internal CA - i’d like to have a ‘common’ keystore that i distribute to 80 gateways, and this keystore would contain an alias key-pair for each individual gateway - and in the gateway config i would tell each one the alias that it should use.
Is anything like this even remotely possible ?

There are some system properties that may help:

  • ignition.ssl.keystore.alias
  • ignition.ssl.keystore.password
  • ignition.ssl.privatekey.password

These would get set in the “additional params” section of ignition.conf.

I don’t see a way to point to a different keystore all together, though, so make sure you use the default ssl.pfx in the webserver directory of the Ignition install.

1 Like

When i go thru the SSL/TLS setup wizard and generate a CSR, i see that both ssl.pfx and csr.pfx are then generated. They don’t exist until i do the the SSL configuration wizard.

I was looking to manage these centrally: storing multiple gateway keypairs in the same keystore and distributing a centrally managed ssl.pfx file to our various gateways.
This obviously means circumventing Ignition’s built-in certificate generation features and means I need to manage them separately (KeyStore Explorer for example…).
I’ll let you know if it actually works - any remarks or dissuasive comments are highly welcomed :slight_smile: