Activating the verification of the SSL / TLS certificate¶
When running the WAPT Server post-configuration script, the script will generate a self-signed certificate in order to enable HTTPS communications.
The WAPT agent checks the HTTPS server certificate according
verify_cert value in section
C:\Program Files (x86)\wapt\wapt-get.ini.
Working principle of the WAPT agent
the WAPT agent will not check the WAPT Server HTTPS certificate
the WAPT agent will check the WAPT Server HTTPS certificate using the certificate bundle
the WAPT agent will check the WAPT Server HTTPS
certificate with the certificate bundle
To quickly and easily enable verification of the https certificate, you can use the Pinning method.
Pinning the certificate¶
The pinning of certificate consists of verifying the SSL/ TLS certificate with a well defined and restricted bundle.
This method is the easiest when using a self-signed certificate.
For this, you need to launch the following commands in the Windows cmd.exe shell (with elevated privileges if UAC is active).
If you already have a Windows cmd.exe shell open, close it and open a new shell so to take into account the updated environment variables:
wapt-get enable-check-certificate net stop waptservice net start waptservice
Validate the certificate with wapt-get update
When you have executed the update command, make sure that everything has gone well, and if in doubt check Problems when enabling enable-check-certificate.
the command enable-check-certificate downloads the certificate
srvwapt.mydomain.lan.crtin the folder
C:\Program Files (x86)\WAPT\ssl\server;
it then modifies the file
wapt-get.inito specify the value
C:\Program Files (x86)\wapt\ssl\server\srvwapt.mydomain.lan.crt;
the WAPT agent will now verify certificates using the pinned certificate;
If you use the certificate pinning method, be reminded to archive
/opt/wapt/waptserver/ssl folder on your WAPT Server.
The file will have to be restored on your server if you migrate or upgrade your WAPT Server, if you want the WAPT agents to continue to be able to establish trusted HTTPS connections.
How to use a commercial certificate or certificates provided by your organization?¶
If the pinning method does not suit you, you can replace the self-signed certificate generated during the installation of WAPT.
Replace the old certificate with the new one in the folder
/opt/wapt/waptserver/ssl/ (linux) or
The new key pair must be in PEM encoded Base64 format
Special case where your certificate has been signed by an internal Certificate Authority
You can manually add the certificate chain up to the Certificate Authority to the certificate that will be used by Nginx.
echo srvwapt.mydomain.lan.crt ca.crt > cert.pem
For linux servers it is also necessary to reset the ACLs:
#Debian: chown root:www-data /opt/wapt/waptserver/ssl/*.pem #Centos: chown root:nginx /opt/wapt/waptserver/ssl/*.pem
restart Nginx to take into account the new certificates;
systemctl restart nginx
net stop waptnginx net start waptnginx
Configuring the WAPT agent¶
For a commercial certificate you can set
verify_cert = 1
For a certificate issued by an internal Certificate Authority,
you must place the certificate in the
C:\Program Files (x86)\wapt\ssl\server\ca.crt folder
and specify the certificate path in
in the agent’s
To apply the new configuration to your entire fleet, you can regenerate a WAPT agent with the appropriate settings.
Verifying the certificate in the WAPT console¶
When the WAPT console first starts, it reads the content of
C:\Program Files (x86)\WAPT\wapt-get.ini and it builds its configuration
This properly sets the
verify_cert attribute for the HTTPS communication
between the WAPT console and the WAPT Server.