Using valid SSL / TLS certificates for the WAPT Server

When running the WAPT Server post-configuration script, the script will generate a self-signed certificate so to enable HTTPS communications.

The self-signed certificate will of course not be recognized by web browsers and users may get warning messages.

It is thus advised to set up a proper SSL / TLS certificate that will be recognized by you Organization’s web browser (either a commercial certificate or one emitted by your internal Certificate Authority).

Setting up a SSL / TLS certificate on Linux

  • replace the self-signed public certificate and private key file located in /opt/wapt/waptserver/ssl/ with keys and certificates provided by your Organization;

Hint

  • we suppose here that the certificate has been already created with the Common Name corresponding to your WAPT Server name srvwapt.mydomain.lan;
  • first copy your certificates .crt and .key files on your WAPT Server. Below, we suppose that they are in the /etc/ssl/private folder;
cp -f /etc/ssl/private/srvwapt.mydomain.lan.crt /opt/wapt/waptserver/ssl/cert.pem
cp -f /etc/ssl/private/srvwapt.mydomain.lan.key /opt/wapt/waptserver/ssl/key.pem
chmod 440 /opt/wapt/waptserver/ssl/*.pem

#Debian :
chown root:www-data /opt/wapt/waptserver/ssl/*.pem

#Centos :
chown root:nginx /opt/wapt/waptserver/ssl/*.pem

Note

Special case where your certificate has been signed by an internal Certificate Authority

Certificates issued by an internal Certificate Authority (CA) must have the complete certificate chain up to the Certificate Authority’s certificate.

You can manually add the certificate chain up to the Certificate Authority to the certificate that will be used by Nginx.

Exemple : cat srvwapt.mydomain.lan.crt ca.crt > cert.pem

  • for more détails on the WAPT agent verifying and validating certificates, visit this documentation;
  • for more information on Nginx configuration, please refer to the Configuring Nginx.
  • restart Nginx to take into account the new certificates;
systemctl restart nginx
  • check that Nginx restarts;
ps -edf | grep nginx

Setting up a SSL / TLS certificate on Windows

  • replace the self-signed public certificate and private key file located in /opt/wapt/waptserver/ssl/ with keys and certificates provided by your Organization;

Note

Special case where your certificate has been signed by an internal Certificate Authority

Certificates issued by an internal Certificate Authority (CA) must have the complete certificate chain up to the Certificate Authority’s certificate.

You can manually add the certificate chain up to the Certificate Authority to the certificate that will be used by Nginx.

  • for more détails on the WAPT agent verifying and validating certificates, visit this documentation;
  • for more information on Nginx configuration, please refer to the Configuring Nginx;
  • restart Nginx to take into account the new certificates;
net stop waptnginx
net start waptnginx

Checking the validity of the certificate

  • connect with an up-to-date web browser (for example Firefox 57 / Firefox 52.5 ESR) to the WAPT Server web console: https://srvwapt.mydomain.lan;

Hint

If you are using an internal Certificate Authority, the web browser must already have your Organization’s internal CA in its certificate store.

Expected result: you access WAPT Server web page without warning and with the SSL / TLS validation icons in the address bar; all is fine.

Go on to the next step to configure AD authentication configuration or directly to install the WAPT console.