Server (HTTPS) Certificate

By default, FMOS provides a self-signed certificate for HTTPS communication. HTTPS communication is used by the web browser for the Security Manager user interface as well as the REST API interface that is accessed by the data collectors. This certificate can be replaced using the fmos pki import-server-cert command. This command will overwrite the existing certificate and private key files:

fmos pki import-server-cert server.cer server.key

If the replacement certificate is signed by an intermediate certificate authority, the --chain argument can be used to specify the path to a file containing the intermediate CA certificates that should be sent along with the server certificate:

fmos pki import-server-cert server.cer server.key --chain server-chain.crt

This command supports certificate and private key files in PEM (base-64), DER (binary) and PKCS#12 formats. If the private key and certificate are stored in the same file (in PEM or PKCS#12 formats only), they will be separated automatically:

fmos pki import-server-cert server.p12

After replacing the original self-signed certificate on the application server with a certificate that is issued and signed by an internal corporate certificate authority, that CA certificate must be added to each remote data collector's trust store. These are the same steps as outlined in Trusted Certificate Authorities.

After replacing the server certificate, the changes will be applied automatically. No services need to be restarted for the changes to take effect.

FMOS will automatically renew the self-signed certificates it creates when they expire, but it will not do so for CA-signed certificates.