The Leostream Gateway uses the default Apache installation on the CentOS or RHEL machine where it is installed. During installation, the Leostream Gateway generates a default operating system SSL certificate. This self-signed certificate produces warnings when users establish HTML5-based desktop connections.
To avoid these warnings, you can install your corporate SSL certificates or use the Leostream Gateway CLI to generate and install a signed SSL certificate. Expert users or more complicated setups should use the standard Apache SSL instructions available on the internet
Installing a new SSL Certificate:
The SSL options of the leostream-gateway CLI can help with standard setups, as described below.
- Use the --ssl-csr option to generate an SSL CSR to use when obtaining a signed certificate.
sudo leostream-gateway –-ssl-csr
Step through the instructions to provide the information needed to generate the CSR. When finished, the CSR is stored in a file named server.csr in the current directory. Use this generated CSR to obtain a signed certificate for an Apache server from your certificate authority.
The Leostream Gateway uses the private key generated when you originally installed the underlying CentOS operating system. It can be found in /etc/pki/tls/private/localhost.key.
- Use the --ssl-crt, --ssl-int, and --ssl-key options to install your new signed certificate, intermediate certificates, and private key, respectively. For example:
leostream-gateway –-ssl-crt <certificate.crt> --ssl-int <intermediate_cert.crt> --ssl-key <privatekey.key>
• The --ssl-crt option must be a .crt file
• The --ssl-int option must be a .crt file
• The --ssl-key option must be a .key file
The Leostream Gateway command will validate the certificate and key, and replace the localhost.crt and localhost.key file in the default location. If you modified the ssl.conf file to use a different cert/key location, please update your cert/key manually and restart the httpd service
- If the certificates are not installed correctly, Apache will not start and the Leostream Gateway cannot function. If Apache is not running on your Leostream Gateway, check that you installed the entire certificate chain and correct keys.
You can check the status of Apache by running the following command on the Leostream Gateway machine:
sudo systemctl status httpd.service -l
Updating an expired SSL Certificate:
If the private key hasn't changed, and you were reissued the same SSL certificate with an update expiration, you can leverage the leostream-gateway CLI to only update the SSL certificate:
sudo leostream-gateway –-ssl-crt <filepath>
The location of the certificate and key are defined in /etc/httpd/conf.d/ssl.conf. The default locations are defined in this file as:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key