Posit Team SSL Considerations

Follow

When using an SSL certificate in your Posit Workbench, Connect, or Package Manager, it is important to note that there are many components to consider when choosing which certificate to use, and how it should be configured.

 

Self-Signed vs CA Signed

CA signed certificates make it easy to implement transport layer security (TLS), however they are more costly. Adversely, self-signed certificates are more configurable, and cheaper, but require more work to be trusted by 3rd parties. 

 

CA Signed Certificates

If using a CA signed certificate, there aren't any other considerations to make during the implementation process. You must only ensure that the full certificate chain (from the server certificate, any subordinate issuer certificates, and the root certificate) are placed in the certificate file on the server. You can follow the guides here on how to set up SSL, depending on the type of product you are using:

 

Posit Workbench

https://docs.posit.co/rsw/configuration/ssl-certificates/

 

Posit Connect

https://docs.posit.co/rsc/configuration/ssl-certificates/

 

Posit Package Manager

https://docs.posit.co/rpm/configuration/ssl-certificates/

 

Self-Signed Certificates

If using a self-signed certificate, there are a couple of more settings that we need to consider. As a first step, it is essential that your organization has a policy in place that allows other devices within your organization to trust the self-signed certificates that you've generated. This is usually completed by an Active Directory policy, however, check with your IT team if you're unsure that this is in place. If the other servers in your domain don't trust the certificate used by the Posit software, then communicating with other servers will prove troublesome, and you will run into connection issues along the way.

 

When using self-signed certificates, it's useful to have OpenSSL installed. To do so, will depend on your Linux distribution:

Ubuntu/Debian

sudo apt-get install libssl-dev

Redhat/CentOS

sudo yum install libssl-devel

Once installed, we can proceed to the next step.

 

Remove any passphrases from your SSL certificates

Firstly, we need to ensure that our certificate does not have a passphrase associated with it. Once we have OpenSSL installed, we can run the following commands to remove the passphrase from our certificate:

openssl rsa -in [original.key] -out [new.key]

For example;

openssl rsa -in /path/to/selfcert.crt -out /path/to/selfcert1.crt

Note that in the example above, we renamed the certificate file from selfcert.crt to selfcert1.crt. If you choose to use the same name in the command, then the previous selfcert.crt file will be overwritten and the passphrase will be removed.

 

Add your certificate to the trusted certificate store on your server

Ubuntu/Debian

For Debian and Ubuntu-based distributions, this is located in the following directory:

/usr/local/share/ca-certificates/

You will need to copy the certificate file into this directory.

cp /path/to/selfcert.crt /usr/local/share/ca-certificates

Then, update the trusted certificates on your system:

sudo update-ca-certificates

Red Hat/CentOS

For RHEL based distributions, this is located in the following directory:

/etc/pki/ca-trust/source/anchors/

You will need to copy the certificate file into this directory.

cp /path/to/selfcert.crt /etc/pki/ca-trust/source/anchors

Then, update the trusted certificates on your system:

update-ca-trust extract

 

Support Ticket

If you still have issues after completing the above, you can always lodge a support ticket, where our group of friendly, and incredibly knowledgeable staff can assist with any issues that you may be having. You can submit a ticket here:

https://support.posit.co/hc/en-us/requests/new

 

 

Comments