Configuring SSLΒΆ

As part of the initial setup script/wizard for the Plixer Scrutinizer appliance, a self-signed SSL certificate will be created using default values. SSL support will also be enabled by default.

This self-signed certificate can later be replaced with a CA-signed certificate if desired.

Note

To learn more about additional certificate-related functions, see this page.

Installing a CA-signed SSL certificate

As long as the system is set to use the self-signed SSL certificate created during the initial setup process, browsers will return an untrusted certificate warning, which users must override to access the web interface.

To avoid this behavior, an SSL certificate that has been signed by an internal or commercial Certificate Authority (CA) will need to be installed:

  1. Forward the /etc/pki/tls/private/ca.csr file to the CA for signing and ask that they return it as base 64 encoded rather than DER encoded.

  2. After acquiring the CA-signed SSL certificate, stop the Apache service by launching the scrut_util interactive CLI and entering the following at the SCRUTINIZER> prompt:

    services httpd stop

  3. Rename the new certificate to ca.crt and overwrite the existing file in etc/pki/tls/certs.

  4. Start the Apache service again by entering the following at the SCRUTINIZER> prompt: SCRUTINIZER> services httpd start

    services httpd start

To verify that the web interface is using the correct SSL certificate, use a browser to navigate to the login page using the FQDN specified in the CA-signed certificate. The browser should no longer return an untrusted certificate warning and the padlock icon in the address bar should be locked instead of open.

Note

The Plixer Scrutinizer AMI also uses a self-signed certificate by default. This can be replaced with a new certificate by running the following scrut_util command:

set ssl on

Enabling/disabling SSL

If needed, SSL support can be disabled (and later re-enabled) by running the following scrut_util command:

set ssl [off | on]

The set ssl on command can also be used to enter new certificate details and overwrite the current certificate.