Home

Configuring Transport Layer Security (TLS)

You must do the following to configure Unravel with TLS:

All the certificates are stored in data/certificates by default.

Configuring Truststore

You must add the certificate to the Truststore and then enable the Truststore. The following certificate formats are supported:

  • PEM (.pem)

  • JKS (.jks)

  • PKCS12 (pkcs12, .p12, .pfx)

Adding certificate to the Truststore

Multiple certificates can be passed through trust add command, and it can also be called multiple times. All the calls will add the certificates to the trust store. By default, the store is located at data/certificates/trusted_certs.pem and trusted_certs.pkcs12

In case the chain of trust cannot be established for a given certificate, the missing parts of the trust chain can be added to the Truststore.

Run the following steps from the manager tool to add certificates to the Truststore:

Step No.

Command

Step 1

Autodetect file format based on the extension.

manager config tls trust add <certificates>

Step 2

Force the uploading of certificate (pem/jks/pkcs) files.

manager config tls trust add --pem <certificates>

manager config tls trust add --jks <certificates>

manager config tls trust add --pkcs12 <certificates>

Enabling/Disabling the Truststore

The trust store can be enabled or disabled without affecting the list of trusted certificates.

  1. Run the following from the manager tool:

    manager config tls trust <enable|disable>
  2. After enabling/disabling the Truststore, stop Unravel.

    manager stop 
    
  3. Refresh the files and then start Unravel again.

    manager refresh files 
    manager start
Configuring Unravel UI to use TLS

Unravel UI can be configured to use TLS. You must set the key and certificate files and then enable TLS for the UI. The supported certificate and key formats are as follows:

  • PEM (.pem)

    Note

    The key and certificate should be in separate files to avoid the validation error.

  • JKS (.jks)

  • PKCS12 (pkcs12, .p12, .pfx)

Setting key and certificate

Run the following steps from the manager tool to upload the key and certificate:

manager config tls set /path/to/key.pem /path/to/certificate.pem --key-password <password>

Note

When the set command is called for multiple times, the key and certificate provided on the last call is used.

Enabling/Disabling TLS for Unravel UI

TLS can be enabled or disabled without affecting the list of trusted certificates.

  1. Run the following from the manager tool:

    manager config tls <enable|disable>
  2. After enabling/disabling TLS, stop Unravel.

    manager stop 
    
  3. Refresh the files and then start Unravel again.

    manager refresh files 
    manager start
Verifying key and certificate

You can verify the Truststore as well as the TLS configuration by running the following command from the manager tool:

manager verify tls