HTTPS
How to use HTTPS to secure against various threats
CDM-Server takes the secure-by-design approach and thus enforces HTTPS.
HTTPS to Access CDM-Server
If you set the USE_CUSTOM_CERT
environment variable to true
:
- You can provide your own certificate. The server will use these files to serve HTTPS.
- This can be self-signed or CA-signed (recommended).
- There are two dummy files
./cdm-server.crt
and./cdm-server.key
where you have downloaded the CDM-Server. Just replace it with your own certificate chain and private key.
Make sure the crt
file contains the full certificate chain, including the root and intermediate certificates.
The key
file should contain the private key in PEM
format.
Notes
- If you don’t have a
.crt
file but acer
file, they are usually the same. You can rename it tocdm-server.crt
. - If you don’t have a
.key
file but aprivkey
file, they are usually the same. You can rename it tocdm-server.key
. - We don’t support
PFX
anymore.
Renew Certificate
Live Reload
At this moment, CDM-Server does not support on-the-fly certificate renewal. This will be supported in a future release.Once you have the renewed certificate file
- Stop the server
- Replace the file
- Restart the server
This will apply the new certificate.
Self-Signed Certificate
If the variable is set to false
, the server will generate and use a self-signed certificate. You can find it in
./.data/certs/<CDM_HOST>.cert.p7b
- X.509 certificate (contains the public key) that you can import to your Windows OS easily../.data/certs/<CDM_HOST>.crt
- Certificate chain inPEM
format../.data/certs/<CDM_HOST>.key
- Private key inPEM
format. You should not share this file with anyone.
Warning
Using self-signed certificate is not recommended for production.Install Self-Signed Certificate on User’s Machine
Please see Install Self-Signed Certificate for more information.
LDAP over TLS
For this, look into LDAP documentation.