Version: Next

TLS Certificates

ASI supports both CA-signed and self-signed TLS certificates.
A CA-signed certificate provides full browser trust and is recommended for production.
Self-signed certificates are easier to generate but will trigger browser warnings.

For an overview of the differences, see:
Self-Signed vs CA-Signed Certificates

CA-Signed Certificates

Obtain certificates from your organisation’s certificate authority.
Ensure the certificate includes:

The correct Common Name (CN)
All required Subject Alternative Names (SANs) (load balancer + all ASI nodes)

Before installing the certificate, ensure the corresponding CA certificate is present in the Linux trust store.

Check If the CA Certificate Is in the Trust Store

Replace CA_NAME with the Common Name of your CA:

grep -i "CA_NAME" /etc/pki/ca-trust/extracted/pem/*

Load the CA Certificate into the Trust Store

If the CA certificate is missing:

Copy the CA certificate into the trust store:

sudo cp /path/to/CA.crt /etc/pki/ca-trust/source/anchors/

Update the trust store:

sudo update-ca-trust extract

Confirm it has been loaded:

sudo update-ca-trust list

Self-Signed Certificates

You may generate your own Certificate Authority (CA) and issue server certificates from it.
All ASI nodes must trust the same CA certificate (ca.crt) to avoid TLS errors.

Create a directory for your certs, for example:

mkdir -p /opt/ISS/config/security
cd /opt/ISS/config/security

Note: Some steps require root privileges.

Generate the Root Private Key (CA Key)

openssl genpkey -algorithm RSA -out ca.key -aes256

Create the Root Certificate (CA Certificate)

openssl req -key ca.key -new -x509 -out ca.crt -days 3650

Choose a meaningful Common Name (e.g., "ASI Internal CA").

Important: Use this same ca.crt for every ASI node.

Generate the Server Private Key

openssl genpkey -algorithm RSA -out server.key -aes256

Generate the Server Certificate Signing Request (CSR)

Create a SAN configuration file:

nano san.cnf

Example:

[req]
distinguished_name = req_distinguished_name
req_extensions     = v3_req

[req_distinguished_name]
countryName         = GB
stateOrProvinceName = Cheshire
localityName        = Manchester
organizationName    = MyCompany
commonName          = your.server.com

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = your.server.com
DNS.2 = another.server.com
DNS.3 = 192.168.1.1

Generate the CSR:

openssl req -new -key server.key -out server.csr -config san.cnf

Sign the Server Certificate with Your CA

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
  -out server.pem -days 3650 -extensions v3_req -extfile san.cnf

Verify the Server Certificate

openssl x509 -in server.pem -text -noout

Check that:

SAN entries are present
Certificate dates and CN are correct

Distribute the CA Certificate

Copy ca.crt to all ASI nodes and load it into the trust store:

sudo cp ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract

This ensures all nodes trust certificates issued by your custom CA.

For any updates or clarifications, please contact the support team.

CA-Signed Certificates​

Check If the CA Certificate Is in the Trust Store​

Load the CA Certificate into the Trust Store​

Self-Signed Certificates​

Generate the Root Private Key (CA Key)​

Create the Root Certificate (CA Certificate)​

Generate the Server Private Key​

Generate the Server Certificate Signing Request (CSR)​

Sign the Server Certificate with Your CA​

Verify the Server Certificate​

Distribute the CA Certificate​