# Using a Custom SSL Cert

This page provides details on how to create an SSL certificate for use with the Keeper Connection Manager service.

### Generate and Prepare the SSL Certificate

The process of generating an SSL certificate varies depending on the provider, but the general flow is documented here.

**(1)** On your local workstation, Generate a private key

```
openssl genrsa -out demo3.kcmdemo.com.key
```

**(2)** Generate a CSR, making sure to use the hostname which you plan to use for KCM. In this case, we will be using `demo3.kcmdemo.com`. The important item here is that the Common Name matches exactly to the domain.

```
openssl req -new -key demo3.kcmdemo.com.key -out demo3.kcmdemo.com.csr
```

**(3)** Purchase an SSL certificate and Submit the CSR to your SSL certificate provider.

{% hint style="warning" %}
Ensure that the SSL certificate created for your KCM instance is only used for this purpose. Do not use a wildcard certificate that is shared with other services.
{% endhint %}

If you don't have a provider already, a good site is: <https://www.ssls.com/>

Create a certificate for a domain that is specific for this KCM instance, e.g. demo3.kcmdemo.com. The SSL certificate provider will deliver you a zip file that contains a signed certificate (.crt file) and intermediate CA cert.

**(4)** After the certificate has been issued, combine the certificate (.crt) and bundle (bundle.crt) into a single file that is PEM-encoded.

The file needs to be formatted like this:

```
-----BEGIN CERTIFICATE-----
MIIGQjCCBSqgAwIBAgIQeLDY2eR6ZdAagFwb7A/YxzANBgkqhkiG9w0BAQsFADCB
jzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQD
.....
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFgTCCBGmgAwIBAgIQOXJEOvkit1HX02wQ3TE1lTANBgkqhkiG9w0BAQwFADB7
MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
...
-----END CERTIFICATE-----
```

Note that a newline exists after each "END CERTIFICATE" line. KCM will reject a malformed certificate.

The private key file will be PEM-encoded, formatted like this:

```
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBBAKCAQDAvzLIMM7MnVa7z/CTLm+dTnxcd9Rn0QOVdIRIHbQnoBQ9irv6
lgNp8pnpIKp/WPcvoNKEZND08CX8Ylxbw51ccoERNBPtvyXbJtfIFu81nplqr+Lt
....
eABEVrVcYwO10apQQ0lkXWyYhTS0WuB1wFZlIiFq7RJg2X7s9tmVMw==
-----END RSA PRIVATE KEY-----
```

**(5)** Transfer the 2 files to the KCM server

Copy the files to a location in the server which is running Keeper Connection Manager.

If you are using the Auto Docker install method of Keeper Connection Manager, a good place to put the files is in /etc/kcm-setup. Make sure to set the permissions appropriately, e.g.:

```
sudo mv demo3.kcmdemo.com_bundle.crt /etc/kcm-setup/
sudo mv demo3.kcmdemo.com.key /etc/kcm-setup/

sudo chmod 600 /etc/kcm-setup/demo3.kcmdemo.com_bundle.crt
sudo chmod 600 /etc/kcm-setup/demo3.kcmdemo.com.key

chown root:root /etc/kcm-setup/demo3.kcmdemo.com_bundle.crt
chown root:root /etc/kcm-setup/demo3.kcmdemo.com.key
```

**(6) Update the docker-compose.yml file with the SSL cert**&#x20;

Using your preferred editor, update the Docker Compose file. If you used the Auto Docker install method of KCM, the file will be located in `/etc/kcm-setup/docker-compose.yml`. The section to edit is below:

```
sudo vi /etc/kcm-setup/docker-compose.yml
```

{% code title="docker-compose.yml" %}

```yaml
    ssl:
        image: keeper/guacamole-ssl-nginx:2
        restart: unless-stopped
        ports:
            - "80:80"
            - "443:443"
        environment:
            CERTIFICATE_FILE: "/etc/ssl/certs/certificate.pem"
            PRIVATE_KEY_FILE: "/etc/ssl/certs/private.pem"
            ACCEPT_EULA: "Y"
            GUACAMOLE_HOSTNAME: "guacamole"
            SSL_HOSTNAME: "demo3.kcmdemo.com"
        volumes:
            - "/etc/kcm-setup:/etc/ssl/certs/:ro"
```

{% endcode %}

Make sure to edit the SSL\_HOSTNAME and volume mount paths and filenames.

To restart the service with the new certificate:

```
sudo ./kcm-setup.run stop
sudo ./kcm-setup.run upgrade
```

#### Annual Renewal

{% hint style="success" %}
On an annual basis, you will need to renew your cert. Most certificate providers will generate a new cert for you. After certificate renewal, you need to replace the certificate file and restart the service.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.keeper.io/keeper-connection-manager/installation/docker-compose-install/ssl-termination/using-a-custom-ssl-cert.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.