Configure a Custom Certificate of Authority (RPM/DEB)
If your environment includes a custom Certificate of Authority (CA) that contains custom or non-standard certificates/chains (such as self-signed certificates) that are not included in the set of standard certificates typically included in internet browsers, you must enable Pepperdata to find the CA file.
You can either configure the
SSL_CERT_FILE environment variables or place the CA file in a location that Pepperdata searches for CA files—the default locations for CA files according to each supported OS vendor/version.
The environment variables take precedence: if you assign them, Pepperdata does not search for the certificates anywhere else, and so will not find them even if you’ve installed them according to your OS’s requirements.
Choose the procedure for your preferred approach:
- Assign Environment Variables—makes the CA file available to the Pepperdata services as soon as they start
- Install the Custom CA File per OS Requirements—eliminates a configuration step
Procedure: Assign Environment Variables
Add the environment variables for the locations of the CA bundle and SSL certificate filenames.
On any host in the cluster, open the Pepperdata configuration file,
/etc/pepperdata/pepperdata-config.sh, for editing.
Add the environment variables in the following format. Be sure to substitute your CA bundle and SSL certificate filenames for the
your-fully-qualified-ssl-cert-fileplaceholders in the following snippet, respectively.
If you set only one of the environment variables, Pepperdata assigns its value to the other environment variable.
REQUESTS_CA_BUNDLEcertificate is used by libraries that use the Python
SSL_CERT_FILEcertificate is used only by libraries that directly use OpenSSL instead of using the Python
export REQUESTS_CA_BUNDLE=your-fully-qualified-ca-bundle-file export SSL_CERT_FILE=your-fully-qualified-ssl-cert-file
Save your changes and close the file.
On every host in the cluster, restart the PepAgent service (
Restart the PepAgent.
You can use either the
service(if provided by your OS) or
sudo service pepagentd restart
sudo systemctl restart pepagentd
Procedure: Install the Custom CA File per OS Requirements
SSL_CERT_FILEenvironment variables unassigned. If you assign them, Pepperdata expects to find the certificates as assigned, and will not look anywhere else.
Consult your operating system (OS) documentation for the procedure to install your (single) custom CA file in the OS’s vendor-specific default location for CA files.
The procedure and the default location vary according to the particular Linux vendor and/or OS version.
Pepperdata looks in the default locations for all supported OSes, and uses the first CA file that it finds. The locations can be symbolic links whose targets are the actual CA files.