Comment on page
Using a Custom SSL Cert
How to deploy a custom SSL Certificate to Keeper Connection Manager
This page provides details on how to create an SSL certificate for use with the Keeper Connection Manager service.
The process of generating an SSL certificate varies depending on the provider, but the general flow is documented here.
(1) On your local workstation, Generate a private key
openssl genrsa -out demo3.kcmdemo.com.key
(2) Generate a CSR, making sure to use the hostname which you plan to use for KCM. In this case, we will be using
demo3.kcmdemo.com. The important item here is that the Common Name matches exactly to the domain.
openssl req -new -key demo3.kcmdemo.com.key -out demo3.kcmdemo.com.csr
(3) Purchase an SSL certificate and Submit the CSR to your SSL certificate provider.
Ensure that the SSL certificate created for your KCM instance is only used for this purpose. Do not use a wildcard certificate that is shared with other services.
Create a certificate for a domain that is specific for this KCM instance, e.g. demo3.kcmdemo.com. The SSL certificate provider will deliver you a zip file that contains a signed certificate (.crt file) and intermediate CA cert.
(4) After the certificate has been issued, combine the certificate (.crt) and bundle (bundle.crt) into a single file that is PEM-encoded.
The file needs to be formatted like this:
Note that a newline exists after each "END CERTIFICATE" line. KCM will reject a malformed certificate.
The private key file will be PEM-encoded, formatted like this:
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
(5) Transfer the 2 files to the KCM server
Copy the files to a location in the server which is running Keeper Connection Manager.
If you are using the Auto Docker install method of Keeper Connection Manager, a good place to put the files is in /etc/kcm-setup. Make sure to set the permissions appropriately, e.g.:
sudo mv demo3.kcmdemo.com_bundle.crt /etc/kcm-setup/
sudo mv demo3.kcmdemo.com.key /etc/kcm-setup/
sudo chmod 600 /etc/kcm-setup/demo3.kcmdemo.com_bundle.crt
sudo chmod 600 /etc/kcm-setup/demo3.kcmdemo.com.key
chown root:root /etc/kcm-setup/demo3.kcmdemo.com_bundle.crt
chown root:root /etc/kcm-setup/demo3.kcmdemo.com.key
(6) Update the docker-compose.yml file with the SSL cert
Using your preferred editor, update the Docker Compose file. If you used the Auto Docker install method of KCM, the file will be located in
/etc/kcm/setup/docker-compose.yml. The section to edit is below:
sudo vi /etc/kcm-setup/docker-compose.yml
Make sure to edit the SSL_HOSTNAME and volume mount paths and filenames.
To restart the service with the new certificate:
sudo ./kcm-setup.run stop
sudo ./kcm-setup.run upgrade
On an annual basis, you will need to renew your cert. Most certificate providers will generate a new cert for you. After certificate renewal, you need to replace the certificate file and restart the service.