Certificates

You can manage and specify certificates from the Certificates page.

TLS Termination Best Practices

LiveSwitch strongly recommends using a reverse proxy, like nginx or haproxy, or a load balancer for TLS termination.

The Certificates page is a central place to manage your certificates. Certificates are necessary to configure HTTPS and TURNS bindings. For more information on secure bindings, refer to the Deployment Configuration topic.

To support a variety of use cases, the LiveSwitch Console uses three methods to manage certificates:

  • Wildcarded domains: It's the most typical use case. Convenient central management for certificates. Your TURNS and HTTPS bindings use the certificates you configured and your certificates are issued for wildcarded domains. Wildcarded domains can be used across all your subdomains and it doesn't matter under which subdomain your server is actually running.
  • Migration case: For certificates in 1.2.x or older installations.
  • Individual certificates per server: Certificates aren't wildcarded. You must refer to an actual certificate residing on a server.

Certificates, Bindings, and Deployments

To use a certificate, do the following:

  1. Set up a Deployment Configuration with HTTPS/TURNS bindings using this certificate.
  2. Configure the Deployment in your servers' JSON config. You only need to configure your servers' JSON config once.
  3. Update certificates and use the LiveSwitch Console to update the bindings for that Deployment.

For more information on how to configure your servers with a Deployment Configuration, refer to the Deployment Configuration topic.

To support these use cases, upload .PFX certificates on the LiveSwitch Console. For certificates that you have placed on a server, refer to them by path or by the certificate's hash. To support these use cases the LiveSwitch Console allows you to upload .PFX certificate files, or for certificates that you have placed on a server yourself you can refer to them by path or by the certificate's hash.

Upload a Certificate from a Certificate File

This method supports the typical wildcarded domains use case.

It's best practice to manage your certificates using this method. When you upload a certificate file, it's validated as part of the upload process. Any problems with the certificate are reported to you when you attempt to upload the certificate, so you can fix the issue immediately.

To upload a certificate from a certificate file, do the following:

  1. In the File Certificates section, click NEW CERTIFICATE.
  2. In the Tag (Human Readable Tag) field, enter a tag for your certificate.
  3. Click inside the drop area to upload a .PFX certificate file.
  4. If you want to protect your certificate with a password, enter a password in the Certificate File Password field.
  5. Click UPLOAD.

Specify a Certificate by Path

If you are migrating your Linux server from an older version or you are using individual certificates per server, do the following:

  1. In the Path Certificates section, click NEW CERTIFICATE.
  2. In the Tag (Human Readable Tag) field, enter a tag for your certificate.
  3. In the File System Path field, specify the full system path to your certificate.
  4. Click OK.
Note

From the LiveSwitch Console, you can't verify certificates specified by path. You can't know if your certificate configuration works until the server loads it. If it's possible, LiveSwitch recommends uploading a certificate from a certificate file.

Specify a Certificate by Hash

If you are migrating your Window’s server from an older version or you are using individual certificates per server, do the following:

  1. In the Hash Certificates section, click NEW CERTIFICATE.
  2. In the Tag (Human Readable Tag) field, enter a tag for your certificate.
  3. In the Certificate Hash field, enter a certificate hash.
  4. Click OK.
Note

From the LiveSwitch Console, you can't verify certificates specified by hash. You can't know if your certificate configuration is going to work until the server loads it from the Windows Certificate Store. If it's possible, LiveSwitch recommends uploading a certificate from a certificate file.