Avoid Self-signed Certificate Warnings

The RIFT.ware user interface (Launchpad) uses Secure Socket Layer (SSL) to secure HTTP requests between your browser and the Launchpad, REST API server, and package uploader server.

RIFT.io recommends that you use a valid root CA (certificate authority) signed certificate to access RIFT.ware through a browser. If you do not have a CA-signed certificate, RIFT.io recommends that you use the Chrome browser and accept the untrusted, self-signed certificate to interact with the Launchpad.

In this topic

• Using a certificate signed by a trusted CA

• Using untrusted, self-signed certificates

Using a certificate signed by a trusted CA

To apply for a digital identity (SSL) certificate:

1. Generate a certificate signing request (CSR) from the host on which the certificate will be used.

2. Send the encrypted CSR to a certificate authority (CA).

The CA uses information in your CSR to create your SSL certificate.

When you use a trusted CA signed certificate, your browser displays the secure (padlock) indicator in the address bar. All communications between the browser and RIFT.ware servers are encrypted.

Where to store certificates

Install and store your SSL key and trusted CA-signed certificate in /etc/ssl with the following names:

• current.key

• current.cert

For more information, see the OpenSSL website and a tutorial at OpenSSL Certificate Authority.

Using untrusted, self-signed certificates

If you use Chrome or Firefox browser with self-signed/untrusted certificates, a warning appears when you access the RIFT.ware UI.

• On Chrome: Accept the security warning in the browser.

• On Firefox: You must add a certificate exception for port 4567 before you can upload a VNFVirtual Network Function (VNF) is an implementation of an executable software program that constitutes the whole or a part of a network function. VNFs can be deployed in a virtualized environment (cloud). / NSNetwork Service (NS) is an application that runs at the network application layer and above. It provides data storage, manipulation, presentation, communication or other capability that is often implemented using a client-server or peer-to-peer architecture based on application layer network protocols. package/descriptor through the browser to the RIFT.ware Launchpad.

How to add certificate exceptions to Firefox

Firefox handles certificates in its own certificate store, bypassing the system certificate store. Additionally, Firefox stores certificates on an <ip>:<port> or <fqdn>:<port> key. This means you cannot accept a certificate for the RIFT.ware API and websocket ports because the UI is served on a different port from the API ports. Thus, API requests will fail. For more information, see Port Requirements.

Note: You must follow this procedure each time your Launchpad IP address changes.

1. Open a Firefox instance, and type the IP address or fully qualified domain name of the Launchpad virtual machine, followed by port 8443.

   For example, enter one of:

   https://00.00.00.00:8443

   or

   https://hostname.domain.com:8443

2. Accept the warning, and permanently store the certificate exception. See Avoid Self-signed Certificate Warnings.

3. On your hard drive, navigate to your Firefox Profiles folder, and open the cert_override.txt file. For details about this file, see cert_override.txt on the Mozilla Developer Network.

   Tip: Find the location of your Firefox profile folder by typing about:support in the address bar. You'll see the directory on the Profile Folder row under Application Basics. (See also Profile folder - Firefox on mozillaZine.)

4. Within cert_override.txt, locate the line that corresponds to your <launchpad_ip/fqdn>:8443 entry, and copy the entire line to the clipboard.

   The entry resembles the following, in a long wrapped line:

5. Paste the 8443 line below the original line two times.

6. Replace 8443 in the first pasted line with 4567.

7. Optionally replace 8443 in the second pasted line with 8008.

   Note: Port 8008 is not used by UI directly, but if you plan to use REST add-ons, such as RESTClient to directly access the REST interface, include port 8008 in cert_override.txt.

8. Restart Firefox and refresh the Launchpad URL:

   https://<launchpad_ip/fqdn>:8443