Configure a Custom Certificate of Authority (RPM/DEB)

If your environment includes a custom Certificate of Authority (CA) that contains custom or non-standard certificates/chains (such as self-signed certificates) that are not included in the set of standard certificates typically included in internet browsers, you must enable Pepperdata to find the CA file. You can either configure the REQUESTS_CA_BUNDLE and SSL_CERT_FILE environment variables or place the CA file in a location that Pepperdata searches for CA files—the default locations for CA files according to each supported OS vendor/version. The environment variables take precedence: if you assign them, Pepperdata does not search for the certificates anywhere else, and so will not find them even if you’ve installed them according to your OS’s requirements.

Choose the procedure for your preferred approach:

Assign Environment Variables—makes the CA file available to the Pepperdata services as soon as they start
Install the Custom CA File per OS Requirements—eliminates a configuration step

Procedure: Assign Environment Variables

Add the environment variables for the locations of the CA bundle and SSL certificate filenames.
1. On any host in the cluster, open the Pepperdata configuration file, /etc/pepperdata/pepperdata-config.sh, for editing.
2. Add the environment variables in the following format. Be sure to substitute your CA bundle and SSL certificate filenames for the your-fully-qualified-ca-bundle-file and your-fully-qualified-ssl-cert-file placeholders in the following snippet, respectively.
  - If you set only one of the environment variables, Pepperdata assigns its value to the other environment variable.
  - The REQUESTS_CA_BUNDLE certificate is used by libraries that use the Python requests package.
  - The SSL_CERT_FILE certificate is used only by libraries that directly use OpenSSL instead of using the Python requests package.
```
export REQUESTS_CA_BUNDLE=your-fully-qualified-ca-bundle-file
export SSL_CERT_FILE=your-fully-qualified-ssl-cert-file
```
3. Save your changes and close the file.
On every host in the cluster, restart the PepAgent service (pepagentd daemon).
1. Restart the PepAgent.
  
  You can use either the service (if provided by your OS) or systemctl command:
  - sudo service pepagentd restart
  - sudo systemctl restart pepagentd

Procedure: Install the Custom CA File per OS Requirements

Be sure to leave the REQUESTS_CA_BUNDLE and SSL_CERT_FILE environment variables unassigned. If you assign them, Pepperdata expects to find the certificates as assigned, and will not look anywhere else.

Consult your operating system (OS) documentation for the procedure to install your (single) custom CA file in the OS’s vendor-specific default location for CA files.

The procedure and the default location vary according to the particular Linux vendor and/or OS version.

Pepperdata looks in the default locations for all supported OSes, and uses the first CA file that it finds. The locations can be symbolic links whose targets are the actual CA files.