Cockpit

• cockpit.conf — Cockpit configuration file (opens in a new tab)
• Monitor and Administer a Server with Cockpit (opens in a new tab)

SSL/TLS

• SSL/TLS Usage (opens in a new tab)

  Cockpit will load a certificate from the /etc/cockpit/ws-certs.d directory, or below $XDG_CONFIG_DIRS if set (see cockpit.conf). It will use the last file with a .cert or .crt extension in alphabetical order. The file should contain one or more OpenSSL style BEGIN CERTIFICATE blocks for the server certificate and the intermediate certificate authorities.

  The private key must be contained in a separate file with the same name as the certificate, but with a .key suffix instead. The key must not be encrypted.

  If no certificate is found, a self-signed certificate is created and stored in the 0-self-signed.cert file. On some platforms, Cockpit will also generate a ca.crt in that directory, which may be safely imported into client browsers.

  Cockpit will read the files as root, so they can have tight permissions.

  # check which certificate cockpit-ws will use run the following command
  $ sudo /usr/libexec/cockpit-certificate-ensure --check
  Would use certificate /etc/cockpit/ws-certs.d/home.cq.crt