TLS Certificates
ASI supports both CA-signed and self-signed TLS certificates.
A CA-signed certificate provides full browser trust and is recommended for production.
Self-signed certificates are easier to generate but will trigger browser warnings.
For an overview of the differences, see:
Self-Signed vs CA-Signed Certificates
CA-Signed Certificates
Obtain certificates from your organisation’s certificate authority.
Ensure the certificate includes:
- The correct Common Name (CN)
- All required Subject Alternative Names (SANs) (load balancer + all ASI nodes)
Before installing the certificate, ensure the corresponding CA certificate is present in the Linux trust store.
Check If the CA Certificate Is in the Trust Store
Replace CA_NAME with the Common Name of your CA:
grep -i "CA_NAME" /etc/pki/ca-trust/extracted/pem/*
Load the CA Certificate into the Trust Store
If the CA certificate is missing:
- Copy the CA certificate into the trust store:
sudo cp /path/to/CA.crt /etc/pki/ca-trust/source/anchors/
- Update the trust store:
sudo update-ca-trust extract
- Confirm it has been loaded:
sudo update-ca-trust list
Self-Signed Certificates
You may generate your own Certificate Authority (CA) and issue server certificates from it.
All ASI nodes must trust the same CA certificate (ca.crt) to avoid TLS errors.
Create a directory for your certs, for example:
mkdir -p /opt/ISS/config/security
cd /opt/ISS/config/security
Note: Some steps require root privileges.
Generate the Root Private Key (CA Key)
openssl genpkey -algorithm RSA -out ca.key -aes256
Create the Root Certificate (CA Certificate)
openssl req -key ca.key -new -x509 -out ca.crt -days 3650
Choose a meaningful Common Name (e.g., "ASI Internal CA").
Important: Use this same
ca.crtfor every ASI node.
Generate the Server Private Key
openssl genpkey -algorithm RSA -out server.key -aes256
Generate the Server Certificate Signing Request (CSR)
Create a SAN configuration file:
nano san.cnf
Example:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = GB
stateOrProvinceName = Cheshire
localityName = Manchester
organizationName = MyCompany
commonName = your.server.com
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = your.server.com
DNS.2 = another.server.com
DNS.3 = 192.168.1.1
Generate the CSR:
openssl req -new -key server.key -out server.csr -config san.cnf
Sign the Server Certificate with Your CA
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-out server.pem -days 3650 -extensions v3_req -extfile san.cnf
Verify the Server Certificate
openssl x509 -in server.pem -text -noout
Check that:
- SAN entries are present
- Certificate dates and CN are correct
Distribute the CA Certificate
Copy ca.crt to all ASI nodes and load it into the trust store:
sudo cp ca.crt /etc/pki/ca-trust/source/anchors/
sudo update-ca-trust extract
This ensures all nodes trust certificates issued by your custom CA.
For any updates or clarifications, please contact the support team.