Upload a TLS certificate to the Orchestrator

Upload a TLS certificate to the Orchestrator

Release 1.2.0 introduces HTTPS for the Orchestrator user interface.  Once an Orchestrator has been upgraded to release 1.2.0 any attempt to access the orchestrator through HTTP ("http://orchestrator/", "http://<IP>/", etc) will be redirected to HTTPS and the new fqdn of the orchestrator ("https://orchestrator. blastshield.io" in the default case). You have the facility to upload a certificate for the Orchestrator hostname.  The certificate can either be a signed certificate for a previously downloaded signing request, or a zip archive containing both a private key and a matching certificate. BlastWave can provide a valid certificate for the default Orchestrator hostname and details on how to request that are given below. Note that by default, a self-signed certificate will have been generated which will cause a warning in your browser.

Pre-requisites

  • Your Orchestrator must be using firmware release 1.2.0 or higher.
  • If you are not using firmware release 1.2.0 or higher, then you must upgrade.
  • Learn about how to check what version firmware you are using here and learn about how to upgrade your Orchestrator here
  • You must have Read/Write access to the Orchestrator. You can verify this on your user profile in the Orchestrator.
  • Verify if you are using the Orchestrator default DNS suffix or if you have changed it

Summary

The steps you will perform depend on whether your Orchestrator is using the default DNS suffix, or if the DNS suffix has been updated.

  • If the Orchestrator is using the default DNS suffix (blastshield.io) then BlastWave will provide the certificate for the hostname orchestrator.blastshield.io.
  • If the Orchestrator is not using the default DNS suffix then you must upload a valid certificate for the Orchestrator hostname.

Step 1: Verify the current DNS suffix

Performed by the BlastShield Orchestrator Administrator
  • Login to the Orchestrator and firstly verify the Orchestrator is running release 1.2.0 or later by clicking on the Firmware menu on the left hand side of the main view and checking the Current Version of the Orchestrator firmware.
  • Verify the DNS suffix. Click on Network in the menu bar on the left-hand side.  
  • The DNS suffix is shown in the Network Settings, DNS Suffix box.  In release 1.2.0 and above the default DNS suffix is "blastshield.io" and the corresponding default Certificate Common Name shown in the Certificate settings is "orchestrator.blastshield.io".
  • This is illustrated in the following screenshot. Note that by default, a self-signed certificate will have been generated which will cause a warning in your browser.

Step 2: If you are using the default DNS suffix, request BlastWave to upload the certificate

If you are using the default DNS suffix of "blastshield.io" then your Orchestrator hostname will be "orchestrator.blastshield.io". You must open a support ticket to request us to upload the certificate for "orchestrator.blastshield.io".

Go here to open a support ticket.

You don't need to do anything else. The remainder of this procedure does not apply to your settings.

Step 3: If you are not using the default DNS suffix, upload your certificate

Performed by the BlastShield Orchestrator Administrator
  • Login to the Orchestrator and click on the Network option in the menu bar on the left-hand side.
  • The Network Setting window will appear. In the Orchestrator Certificate settings, where you can verify the value of the Certificate Common Name.
  • Click on Download Signing Request to download a signing request to send to you CA.
  • Once you receive back the signed certificate then upload it using the Upload Certificate button.
  • Alternatively, you can upload a zip file with both a private key and the certificate in case you have a wildcard certificate or if you want to generate the certificate by yourself.

Once you have uploaded the certificate you should close and re-open your browser tab to get the padlock icon on your browser.