TLS Server Certificates and Keystores
To secure the connection to your Hub server with the built-in TLS, you must have a server certificate and private key, or a keystore.
For a production environment, we urge you to obtain an SSL certificate from a trusted Certificate Authority.
However, for testing and evaluation purposes, you can use a self-signed certificates. There are several tools that let you create SSL keys and certificates. This page describes a procedure for creating a self-signed server certificate with the OpenSSL toolkit.
Create a Self-signed Server Certificate
Create a self-signed server certificate with the OpenSSL
Generate a new 2048 bit RSA key:
openssl genrsa -out Hub_Server_TLS.pem 2048
- Generate a certificate request for the generated key:
openssl req -new -key Hub_Server_TLS.pem -out Hub_Server_TLS_req.csr
As the Common Name parameter, set the fully-qualified domain name (FQDN) of your server. The service will be available through the generated server certificate by the URL:
https://<FQDN of your server>:<port>/
To generate a certificate of the v3 version, you need to preliminary create a configuration file and provide it during the certificate generation. Create a text configuration file, let's name it
v3.ext, with the following content:
authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
Generate a certificate (of the version v3):
openssl x509 -in Hub_Server_TLS_req.csr -out Hub_Server_TLS_cert.pem -req -signkey Hub_Server_TLS.pem -days 3650 -extfile v3.ext
Result: You have a self-signed server certificate
Hub_Server_TLS_cert.pem and its private key that are ready for upload to Hub. Now, during installation or upgrade, on the Confirm Settings step of the web-based configuration wizard:
Open the HTTPS > Private key and certificate settings.
Upload the created
Hub_Server_TLS.pemfile as the private key.
Upload the created
Hub_Server_TLS_cert.pemas the certificate.