There are scenarios where Server Workloads are secured with certificates issued by private Certificate Authorities (CAs), which are not publicly trusted. The Aembit Agent Proxy, by default, does not trust certificates issued by such private CAs and will not connect to these workloads.
This article describes the steps required to configure Edge Components to establish trust with these certificate authorities.
Adding Private CA
Section titled “Adding Private CA”Kubernetes
Section titled “Kubernetes”To have your private CAs trusted, pass them as the agentProxy.trustedCertificates parameter in the Aembit Helm chart.
This parameter should be a base64-encoded list of PEM-encoded certificates.
The resulting Helm command will look like this (please remember to replace your tenant ID and other parameters):
helm install aembit aembit/aembit ` --create-namespace -n aembit ` --set tenant=TENANT,agentController.deviceCode=123456,agentProxy.trustedCertificates=LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0....Elastic Container Service (ECS)
Section titled “Elastic Container Service (ECS)”To trust private CAs, pass them as a variable to the Aembit ECS Terraform module.
This variable should be a base64-encoded list of PEM-encoded certificates.
module "aembit-ecs" { source = "Aembit/ecs/aembit" version = "1.12.0"
...
aembit_trusted_ca_certs = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0...."}Virtual machine
Section titled “Virtual machine”The Agent Proxy automatically trusts all certificates installed in the system’s trust root certificate store.
Below are the steps to add them to the appropriate system trust root certificate store.
Debian/Ubuntu-based VM
Section titled “Debian/Ubuntu-based VM”Place your private CA certificate in /usr/local/share/ca-certificates/, ensuring the file contains PEM-encoded
certificate(s) and that the file extension is .crt. Then, execute the following commands:
sudo apt-get update && sudo apt-get install -y ca-certificatessudo update-ca-certificatesDisabling TLS verification
Section titled “Disabling TLS verification”In rare circumstances, Server Workloads could be secured with certificates that would normally be rejected by full TLS verification. For example, a Server Workload may have a certificate with a mismatch between the service’s Fully Qualified Domain Name (FQDN) and its Common Name (CN) or Subject Alternative Name (SAN).
Aembit allows the disabling of TLS verification for specific Server Workloads.
:warning: Please exercise extreme caution with this configuration. Using certificates that are rejected by full TLS verification and disabling TLS verification are considered poor security practices.
To disable TLS verification, toggle the Forward TLS Verification option to “None” within the Server Workload settings.
