Domain/SSL

the settings > domain/ssl pane is used to configure the domain name, ssl, and edge remote endpoint in litmus edge manager this pane includes the following sections domain ssl settings edge remote ssl certificate workflow you can choose between two methods for adding an ssl certificate to litmus edge or litmus edge manager manual request process digicert iot trust manager integration method 1 manual request process step 1 you will need to request an ssl certificate from your it team step 2 your it team will make a request for the ssl certificate from a certificate authority (ca) (for example,let's encrypt, digicert) step 3 the ca will return the following to your it team the root ca certificate file any required intermediate certificates the ssl certificate file step 4 the it team will send you the following the root certificate file any required intermediate certificates the ssl certificate file the private key file step 5 you will apply the following in either litmus edge manager (see ssl settings section below) or litmus edge (see docid\ a6g bo9xf4chv6gylyhxg ) the ca chain file (root ca file and all intermediate certificates) the ssl certificate the private key file method 2 digicert iot trust manager integration step 1 set up digicert iot trust manager integration through the litmus edge manager admin console step 2 access digicert iot trust manager to retrieve the url, profile id, and passcode, then configure the ca for litmus edge manager (lem) and litmus edge (le) step 3 digicert iot trust manager handles the entire certificate management process including issuing the ssl certificate managing the ca chain file private key file step 4 apply and issue certificates to your edge devices through litmus edge manager domain settings you can use the domain name to obtain access to litmus edge manager without knowing the ip address this helps when configuring settings base domain name the basic domain name is used by clients accessing the litmus edge manager admin console, litmus edge manager application, and keycloak application before you begin ensure a dns server exists to handle requests by clients using the domain name action details \[1] edit base domain name changing the domain name can cause connection issues such as disconnecting all previously connected edge devices it is recommended that you make dns changes prior to configuring the rest of your settings the domain name also causes an update to the certificates it may be necessary to accept new certificates after reloading the current browser tab see docid\ f 4fuf7kbozitsh lmxp4 for more information if the domain name is valid, a green check mark displays if the domain name is invalid, a red exclamation mark displays \[2] copy base domain name \[3] view domain log enabling auto scroll is helpful when running an import process \[4] save base domain name save the base domain name ssl settings there are three options when selecting an ssl setting instance default certificate allows you to use the default self signed ssl certificate that is automatically created during deployment when you first boot up for https, and mqtt ssl let's encrypt webroot mode the certificate is based on https //en wikipedia org/wiki/let's encrypt using their webroot mode you must enter the domain name for your web server in the domain section an ip address cannot be used this is used when the web server is exposed to the internet and should not be used for private networks digicert the digicert option integrates with a unique passcode for each lem instance, which should be securely stored and managed within the admin interface this ensures a secure and reliable ssl certificate management process for your litmus edge manager user defined the ssl encryption uses a self signed certificate ( crt or pem file) and a ( key or pem file) that has been uploaded to litmus edge manager the same certificate must be uploaded to the connected edge device action details \[5] select ssl setting select instance default certificate to ensure that the ssl certificates that are used for the server and instances are valid and trusted by the server select let's encrypt webroot mode to secure publicly available content in a domain by encryption, and then click save it issues a certificate when ownership is proven this selection requires that a domain name is set this selection cannot be used with an ip address select user defined to use an ssl certificate and key file to secure content a crt or pem file and a key or pem file is required for this selection \[6] (user defined only) upload ssl certificate upload ssl cert file \[7] (user defined only) key file upload key file \[8] (user defined only) root ca certificate upload a ca chain file creating a ca (certificate authority) chain file involves consolidating the necessary certificates to establish a trust hierarchy for secure communication to do this, you'll typically need the intermediate certificates that link your ssl certificate to the root certificate, ensuring a complete chain of trust begin by gathering the required certificates, which often include intermediate certificates, and the root certificate then, execute a command to combine all required certificates into a single file see the example below \[9] view ssl log enabling auto scroll is helpful when running an import process \[10] save ssl settings save ssl settings for future example you have the following intermediate certificates intermediate1 pem and intermediate2 pem you create a ca chain file by combining the intermediate certificates with the root certificate ( root pem ) with the following command cat intermediate1 pem intermediate2 pem root pem > ca chain pem the ca chain file is named ca chain pem edge remote the edge remote endpoint is the location of the litmus edge manager remote service that forms a private secured connection between this litmus edge manager instance and all of its associated litmus edge devices this endpoint can be used for a dns or an ip address by default and in most circumstances, the edge remote endpoint will be identical to the litmus edge manager instance's ip address/dns the only exception is when the litmus edge manager is deployed on google kubernetes engine in this deployment situation, the ip address of the litmus edge manager and the ip address of the lem remote service will differ the ip address of the litmus edge manager remote service will be generated by kubernetes and should be set as the edge remote endpoint accordingly if a dns is associated with the ip address received from kubernetes, then the dns should likewise also be set as the edge remote endpoint accordingly setting the dns this way prevents the need to reactivate litmus edge devices when the litmus edge manager ip address changes refer to the following actions you can take on litmus edge manager admin console's domain/ssl pane action details \[11] edit edge remote edit the edge remote option \[12] copy edge remote endpoint \[13] save edge remote endpoint you can only save when the dns/ip address is valid