When using a custom domain with Cloud Maker Enterprise Server (CMES), you have the option to either allow CMES to generate TLS certificates for you automatically using Let's Encrypt, or you can supply certificates provisioned through other means.
The following guidance covers the high levels steps for creating the TLS certificates if you'd like to supply your own and retrieving the certificate and private key data in PEM format.
Provisioning TLS Certificates
There are many different types of certificates and certificate authorities available for use with CMES. You may choose to procure a host-specific certificates for your chosen host (e.g. cmes.yourdomain.com
) endpoint, or instead, use a wildcard or Subject Alternative Name certificate (e.g. *.yourdomain.com
).
The first step is to request and provision your desired TLS certificates with your chosen certificate authority. Each certificate authority will have their own process for completing this.
Converting your TLS Certificates to PEM Format
CMES requires certificate data to be supplied in PEM format. If the certificate data supplied by the CA is not in PEM format, you must first convert the certificate data into PEM format before installing the CMES appliance.
The certificate trust chain for the certificate(s) issued for your CMES appliance is likely to include at least one intermediate certificate. If there is no intermediate certificate, then instructions related to intermediate certificates can be ignored.
To convert your certificates to PEM format, do the following:
NOTE: CMES doesn't currently support password-protected private keys. Please ensure any passwords are removed before completing these steps.
Convert the TLS certificate, intermediate certificate, and private key to PEM format by running the following commands:
For an TLS certificate in DER format:
openssl x509 -inform DER -in certificate.cer -out certificate.pem
For an TLS certificate in PKS#7 format:
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
For an TLS certificate in PKS#12 format:
openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes
Combine the public parts of the certificate and intermediate certificate into a single PEM file by running the following command:
type certificate.pem intermediate.pem > combined.pem
You can now use the combined.pem file for your TLS certificate and intermediate certificate.
Please note that these instructions are for OpenSSL on Windows 11. If you are using a different operating system, the commands may be slightly different. Also, Make sure to replace the file name with your actual file name.
Using the PEM Certificate Data
Now that you have combined PEM data for your certificates and private key. You can copy and paste this into the CMES Solution Template deployment wizard in the Azure Marketplace portal during provisioning. See this KB for more information on deploying CMES.