When using an SSL certificate in your Posit Workbench, Connect, or Package Manager, it is important to note that there are many components to consider when choosing which certificate to use, and how it should be configured.
Self-Signed vs CA Signed
CA signed certificates make it easy to implement transport layer security (TLS), however they are more costly. Adversely, self-signed certificates are more configurable, and cheaper, but require more work to be trusted by 3rd parties.
CA Signed Certificates
If using a CA signed certificate, there aren't any other considerations to make during the implementation process. You must only ensure that the full certificate chain (from the server certificate, any subordinate issuer certificates, and the root certificate) are placed in the certificate file on the server. You can follow the guides here on how to set up SSL, depending on the type of product you are using:
Posit Workbench
https://docs.posit.co/rsw/configuration/ssl-certificates/
Posit Connect
https://docs.posit.co/rsc/configuration/ssl-certificates/
Posit Package Manager
https://docs.posit.co/rpm/configuration/ssl-certificates/
Self-Signed Certificates
If using a self-signed certificate, there are a couple of more settings that we need to consider. As a first step, it is essential that your organization has a policy in place that allows other devices within your organization to trust the self-signed certificates that you've generated. This is usually completed by an Active Directory policy, however, check with your IT team if you're unsure that this is in place. If the other servers in your domain don't trust the certificate used by the Posit software, then communicating with other servers will prove troublesome, and you will run into connection issues along the way.
When using self-signed certificates, it's useful to have OpenSSL installed. To do so, will depend on your Linux distribution:
Ubuntu/Debian
sudo apt-get install libssl-dev
Redhat/CentOS
sudo yum install libssl-devel
Once installed, we can proceed to the next step.
Remove any passphrases from your SSL certificates
Firstly, we need to ensure that our certificate does not have a passphrase associated with it. Once we have OpenSSL installed, we can run the following commands to remove the passphrase from our certificate:
openssl rsa -in [original.key] -out [new.key]
For example;
openssl rsa -in /path/to/selfcert.crt -out /path/to/selfcert1.crt
Note that in the example above, we renamed the certificate file from selfcert.crt to selfcert1.crt. If you choose to use the same name in the command, then the previous selfcert.crt file will be overwritten and the passphrase will be removed.
Add your certificate to the trusted certificate store on your server
Ubuntu/Debian
For Debian and Ubuntu-based distributions, this is located in the following directory:
/usr/local/share/ca-certificates/
You will need to copy the certificate file into this directory.
cp /path/to/selfcert.crt /usr/local/share/ca-certificates
Then, update the trusted certificates on your system:
sudo update-ca-certificates
Red Hat/CentOS
For RHEL based distributions, this is located in the following directory:
/etc/pki/ca-trust/source/anchors/
You will need to copy the certificate file into this directory.
cp /path/to/selfcert.crt /etc/pki/ca-trust/source/anchors
Then, update the trusted certificates on your system:
update-ca-trust extract
Support Ticket
If you still have issues after completing the above, you can always lodge a support ticket, where our group of friendly, and incredibly knowledgeable staff can assist with any issues that you may be having. You can submit a ticket here:
https://support.posit.co/hc/en-us/requests/new
Comments