# Applying a certificate to Cockpit (Web Console) This is a little script to help me install / rotate Cockpit certificates. Official documentation for this procedure can be found in the [Cockpit Deployment Guide](https://cockpit-project.org/guide/latest/https.html#https-certificates) ## Create a Certificate Signing Request (.csr) Use `openssl` to create the CSR using Subject Alternative Names (SAN / subjectAltName) for DNS and IP address ```bash= openssl req \ -newkey rsa:4096 \ -nodes \ -subj "/CN=my-server.example.com" \ -addext "subjectAltName=DNS:my-server.example.com,IP:192.168.123.45" \ -keyout my-server.example.com.key \ -out my-server.example.com.csr ``` ## Get your certificate signed This procedure depends on your infrastructure and organization. ## Install the signed certificate and private key After your certificate has been signed, move it into the correct location ```bash= #!/bin/bash CERT_PKCS7=$(hostname -f).pkcs7 CERT_PEM=$(hostname -f).pem KEY=$(hostname -f).key DEST=/etc/cockpit/ws-certs.d/$(hostname -f).cert [ -f $CERT_PKCS7 ] || echo "Certificate file not found: $CERT_PKCS7" [ -f $KEY ] || echo "Private key file not found: $KEY" # Convert the PKCS7 data into PEM format # The PKCS7 data returned from my CA includes the certificate, intermediate and root CAs in the correct order. openssl pkcs7 -print_certs -in $CERT_PKCS7 -out $CERT_PEM # Remove comments from the PEM file # and add the private key to the file so Cockpit can use it # (the instructions say to place the key in its own file...) grep -v -e '^$' -e '^subject' -e '^issuer' < $CERT_PEM > $DEST cat $KEY >> $DEST # Restart Cockpit systemctl restart cockpit.service ```