Guidelines for Self-Signed and Company-Issued SSL Certificates

Note: For an ECC Server configured with an SSL certificate issued by a trusted Certificate Authority, no further action is required to prepare the REST client for https connections.

For an ECC Server configured with a self-signed SSL certificate, it is sufficient to add the public certificate to the certificate store for the REST client application.

For an SSL certificate generated by an in-house certificate server, add the public certificate, any intermediate certificates and the root certificate to the certificate store for the REST client application.

Preparing the ECC Server SSL certificate(s)

For a self-signed SSL certificate, the public certificate for the ECC Server can be obtained by accessing the ECC Server via a web browser https URL, then displaying certificate information in the browser. Most web browsers offer an Export certificate feature. Be sure to export the public certificate in PEM format.

For an SSL certificate issued by your organization’s own certificate server, you may need to obtain a copy of the root certificate in PEM format from your IT department. Your web browser may allow you to copy/export this root certificate directly from the ECC Server. For some in-house SSL certificates, it may also be necessary to export one or more intermediate certificates. In all cases, export the certificates in PEM format.

Note: the private key of the ECC Server’s SSL certificate is not required. This key must be maintained in a secure manner.

Insomnia REST Client

The Insomnia REST client has its own trusted certificate store in the text file %TEMP%\insomnia_yyyy.x.z\ca-certs.pem, where yyyy.x.z depends on the Insomnia version. For example:

C:\Users\jsmith\AppData\Local\Temp\insomnia_2021.5.3\ca-certs.pem

This certificate store file does not exist at first but will be created when Insomnia is first run by the user. Once created, Insomnia will not overwrite this file, so it is possible to append additional certificates to the end of this file.

Note: Once modified, the Insomnia certificate store file should be backed up to a location outside of the TEMP folder. For a self-signed SSL certificate, append the public certificate from ECC Server (in PEM format) to the end of this certificate store, then restart Insomnia. Insomnia will then permit https REST URLs to connect to the ECC Server.

Nuix Workstation

Add copies of the self-signed or self-issued certificate(s) from the ECC Server to the cacerts file within Nuix Workstation’s /jre/lib/security folder. You will need the keytool utility in the /jre/bin folder to add these certificates, as follows:

keytool -import -file "/path/to/one-or-more-certs-from-ecc-server.pem" -keystore "/path/to/nuix/workstation/jre/lib/security/cacerts" -storepass changeit -alias ecc

Note: In the command, above, you will need to edit the paths to the various files. The keystore password value changeit is the default Java keystore password; however, your Java keystore’s password may be different. The alias value is arbitrary: it should uniquely identify the certificate(s) you are adding to the keystore.

Nuix Adaptive Security

Add copies of the self-signed or self-issued certificate(s) from the ECC Server to the Windows Certificate Store, at the Computer (machine-wide) level, under the Trusted Root Certificate Authorities folder. This is done using the Certificate Manager for the Windows computer running Adaptive Security.

CURL and libCURL-based Applications

CURL and libCURL may use the operating systems certificate store, or may use a specific file or environment variable to locate the trusted certificates store. CURL and libCURL applications can also use custom certificate stores. See details in the online CURL documentation.