How to configure a SSL

SSL setup

Nipper OmniSight includes a default self‑signed certificate if no certificate is provided at first startup. This certificate is generated for the hostname defined in HOST_NAME within /opt/app/nipper-omnisight/.conf. The corresponding Root CA (RootCA.crt) is stored in /opt/app/nipper-omnisight/docker/provisioning/ssl/ca/ and must be trusted by any browser accessing the system.

Self‑signed certificates cannot be generated for IP addresses using this automatic process. If HOST_NAME is an IP address, please follow the manual self‑signed certificate instructions in 3.3.3.

For production environments, Titania recommends using certificates issued by your organisation’s PKI rather than the default self‑signed certificate.

If you plan to use your own SSL certificates, configure them before starting Nipper OmniSight for the first time. If the system is already running, ensure it is stopped before making SSL changes.

Using Certificates from Your Organisation’s PKI

If your organisation has a PKI, you can supply your own SSL certificate signed by your internal CA. Place the required files in the following locations:

File name	File location	File description
public.crt	/opt/app/nipper-omnisight/docker/provisioning/ssl/	Public certificate with SANs for all hostnames/IPs used to access the system
private.key	/opt/app/nipper-omnisight/docker/provisioning/ssl/	Private key matching public.crt
dhparam.pem	/opt/app/nipper-omnisight/docker/provisioning/ssl/	Diffie‑Hellman parameters
RootCA.crt	/opt/app/nipper-omnisight/docker/provisioning/ssl/ca/	CA certificate that public.crt chains to
RootCA.pem	/opt/app/nipper-omnisight/docker/provisioning/ssl/ca/	Copy of RootCA.crt in .pem format
CA distinguished name hash}.0	/opt/app/nipper-omnisight/docker/provisioning/ssl/ca/	Symlink created using the CA’s distinguished name hash

Most browsers will already trust your organisation’s CA. If not, ensure the CA used to sign public.crt is trusted.

Generating Your Own Self‑Signed Certificate

If you need to generate your own self‑signed certificate, follow the steps below. Replace the placeholder values (such as country, organisation, and SAN entries) with details appropriate for your environment.
Navigate to the SSL directory
cd /opt/app/nipper-omnisight/docker/provisioning/ssl/
Generate the Root CA private key (minimum 2048-bit recommended):
openssl genrsa -out ca/RootCA.key 2048
Create the Root CA certificate, supplying your chosen country and common name:
openssl req -x509 -new -nodes -key ca/RootCA.key -sha256 -subj "/C={Country}/CN={Common Name}" -days 1024 -out ca/RootCA.crt
Copy the CA Certificate to the required PEM format:
cp ca/RootCA.crt ca/RootCA.pem
Create the distinguished‑name hash symlink required by the system:
syslog_ng_link_name=$(echo $(openssl x509 -noout -hash -in ca/RootCA.crt).0)
ln -s ca/RootCA.pem ca/${syslog_ng_link_name}
Generate the private key for the server certificate:
openssl genrsa -out private.key
Create a certificate signing request (CSR), supplying your organisation details and SAN entries for all hostnames/IPs the certificate should cover
openssl req -new -sha256 -key private.key -subj "/C={Country}/ST={State}/ L={Locality}/O={Organisation}/CN={Common name}" -reqexts SAN -config <(cat /etc/ pki/tls/openssl.cnf <(printf "\n[SAN]\n{SAN Content}")) -out cert.csr
Example SAN content
subjectAltName=DNS:tes-at-my-org,DNS:alt-host-name,IP:10.50.10.123
Generate the server certificate using the CSR and Root CA
openssl openssl x509 -req -in cert.csr -CA ca/RootCA.crt -CAkey ca/RootCA.key - CAcreateserial -days 1024 -sha256 -extfile <(printf "authorityKeyIdentifier=keyid,issuer\nbasicConstraints=CA:FALSE\nkeyUsage = digitalSignature,nonRepudiation,keyEncipherment, dataEncipherment\n{SAN Content}") -out public.crt
Generate the Diffie‑Hellman parameters (minimum 2048‑bit recommended):
openssl dhparam -out dhparam.pem 2048