HTTPS
How to use HTTPS to secure against various threats
CDM-Server takes the secure-by-design approach and thus enforces HTTPS.
HTTPS to Access CDM-Server
If you set the USE_CUSTOM_CERT environment variable to true:
- You can provide your own certificate. The server will use these files to serve HTTPS.
- This can be self-signed or CA-signed (recommended).
- There are two dummy files
./cdm-server.crtand./cdm-server.keywhere you have downloaded the CDM-Server. Just replace it with your own certificate chain and private key.
Make sure the crt file contains the full certificate chain, including the root and intermediate certificates.
The key file should contain the private key in PEM format.
Notes
- If you don’t have a
.crtfile but acerfile, they are usually the same. You can rename it tocdm-server.crt. - If you don’t have a
.keyfile but aprivkeyfile, they are usually the same. You can rename it tocdm-server.key. - We don’t support
PFXanymore.
Renew Certificate
Live Reload
At this moment, CDM-Server does not support on-the-fly certificate renewal. This will be supported in a future release.Once you have the renewed certificate file
- Stop the server
- Replace the file
- Restart the server
This will apply the new certificate.
Self-Signed Certificate
If the variable is set to false, the server will generate and use a self-signed certificate. You can find it in
./.data/certs/<CDM_HOST>.cert.p7b- X.509 certificate (contains the public key) that you can import to your Windows OS easily../.data/certs/<CDM_HOST>.crt- Certificate chain inPEMformat../.data/certs/<CDM_HOST>.key- Private key inPEMformat. You should not share this file with anyone.
Warning
Using self-signed certificate is not recommended for production.Install Self-Signed Certificate on User’s Machine
Please see Install Self-Signed Certificate for more information.
LDAP over TLS
For this, look into LDAP documentation.