How to use certificate chain for Web UI [KATA/KEDRE]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

You may want to have full certificate chain for KATA Web UI. Here's how to do it.

Step-by-step guide

Preparing the certificate chain for use in nginx_gateway configuration

We start with full certificate chain in familiar form. Please note that certificate chain should contain desired intermediate authorities' public keys. Do not add private key to the chain.

First of all, we transfer it to the Central Node. It's recommended to do all further actions on Central Node, as in different *nix environments further steps may give different result.

To use it for product configuration, we should convert it to format, used by etcd.

Note that certificate is in one line, and that line breaks (CRLF) are replaced by \n symbols. So that's what we should do with our certifciate:

1. add \n to the end of each line:

   sed 's/$/\\n/' < cert.json > cert_n.json

2. Remove line breaks:

   tr -d '\n' < cert_n.json > cert_oneline.json

Now, certificate chain is ready to be used in nginx_gateway configuration. 

Importing the prepared certificate chain to nginx_gateway

The most convenient way is to first export nginx_gateway configuration to JSON format:

apt-settings-manager get /configuration/nginx_gateway | python -m json.tool > /tmp/nginx_gateway

Now, find the place where certificate is located and replace it with created certificate chain.

Import the configuration back:

apt-settings-manager set /configuration/nginx_gateway @/tmp/nginx_gateway

And that's it, now browsers will receive full certificate chain for KATA Web UI.