Using an already existing certificate while installing Mender

Hello,
I’m trying to install the open source Mender, and I realized that there is a command that generates keys and certificates. I already have a CA certificate for my domain acquired via Let’s Encrypt, so my question is how/where do I use that certificate, instead of generating a new one? As far as I can see there is no instruction for this in the documentation.
Thank you for your time.

Welcome to Mender!

AFAIK, you have to mention the certificate under mender.conf file only if the certificate is self signed.
If your certificate is already a CA certificate, then mender will handle it automatically (no need to mention the *.cert path in this case). Please see https://docs.mender.io/2.0/artifacts/yocto-project/building-for-production#including-the-client-certificates for more details

BTW, are you using the production version or demo version?

Thank you for the reply!
I am trying to install the production version. So, as far as I know my certificate is indeed a CA certificate, in this case, should I skip the “CERT_API_CN=mender.example.com CERT_STORAGE_CN=s3.example.com …/keygen” prompt? Do I have to include my certificate in some sort of folder in order for Mender to handle it?
Thanks again for the quick reply!

Sorry for the confusion, I thought the question is related to the mender client side :slight_smile:

From server perspective, I think you have to use the keygen helper script (replacing mender.example.com and s3.example.com with your DNS names).
Please see https://docs.mender.io/2.0/administration/production-installation#certificates-and-keys

@mirzak Could you please add your points?

I actually do not any additional insight and server side things is not really my forte. But I will ask someone who knows :).

But I do not belive that you want to use the keygen script at all if you have your own certificates

Then I will try it without the keygen script next time, thank you for your time :slight_smile: I will also keep an eye on here for further updates, will be glad to know further about this.

Actually this page does provide some additional information, maybe that is helpful. It does seem that you need to run keygen to generate all the keys that are used for inter service communication.

https://docs.mender.io/2.0/Administration/Certificates-and-keys

@bilbol

If you want to use Let’s encrypt certificates then you need to do the following:

  1. use keygen script first to generate all certs and keys
  2. issue 2 certificates for mender.yourdomain.io and storage.yourdomain.io if you do such separation
  3. replace the certs in keys-generated/certs by the one you have issued

Okay, will do! Thank you all for your time :slight_smile:

Did it work out for you @bilbol, if that is the case maybe we can mark @0lmi response as “solution”