Signing the ToolsControl CSR

Obtaining the CSR (Certificate Signing Request)

To get the ToolsControl certificate that is signed by a trusted Root CA, do the following:

  1. In Settings, select the HTTPS tab.

  2. Select Create CSR.

    The CSR creation box opens.

  3. Enter the distinguished name fields for the CSR. The only required field is Common Name. This field defaults to the Single IP of the cluster.

  4. Select Create CSR.

    A file named csr.pem is downloaded to the local computer.

  5. Make sure that the downloaded file is signed by the trusted Root CA. To use the signed certificate as a certificate authority, make sure that the basic constraint Certificate Authority is true.

Uploading a Signed CSR

To upload the signed CSR to ToolsControl, do the following:

  1. In Settings, select the HTTPS tab.

  2. Select Upload.

    The Select file for upload box opens.

  3. Select BROWSE.

  4. Select the signed file.

  5. Select Upload to upload the signed file.

If the non-CA signed certificate is successfully uploaded, the certificate is immediately active. Wait a few seconds and refresh the page to see new certificate data in Settings > HTTPS.

If a CA-signed certificate was successfully uploaded, ToolsControl has a signed CA that can issue trusted certificates.

Generating a Certificate

To generate a new trusted certificate, do the following:

  1. In Settings, select the HTTPS tab.

  2. Select Generate.

    The Generate certificate view appears. The view displays the possible distinguished names that you can specify for the generated certificate. The fields are the same as for the CSR. By default, these are pre-filled with the same values as for the issuing CA. The view shows the issuer, the CA issuer, and the key size (always 2048) of the certificate to be generated.

  3. Select Generate to generate the new certificate.

    The new certificate is generated. Some services must be restarted to change to the new certificate, so wait a few seconds before refreshing the web page.

Only separate the SAN IP/DNS names by commas with no space in between.

Issued certificates always contain the Single IP and node IPs, regardless of what SAN is specified.

If a certificate was successfully generated, there should now be an updated view with the new alternative names added, and the Issued and Expires data updated.

Using Self-signed Certificates

As an option to signing the ToolsControl issuing CA, it is possible to have ToolsControl issue a self-signed certificate. All users will then need to explicitly trust the certificate in the browser to access the ToolsControl portal with HTTPS encryption.

A warning will be shown in the browser, saying that the connection is insecure since the certificate is not issued by a trusted provider. Click Advanced, or some equivalent alternative, and choose to proceed anyway. HTTPS encryption is then enabled.

By manually adding the ToolsControl issuing CA to the browser list of trusted root CAs, future warnings are suppressed. The procedure for adding a trusted CA varies depending on browser and operating system of the computer.

ToolsControl Portal | 1.6

Published: 2024-07-12

© 2024 Atlas Copco Industrial Technique AB | Legal Notice