It is possible to replace the SSL/TLS certificate for HTTPS on a Manager (or Pinbox/Analyst).

Requirements (assuming your manager FQDN is manager.aaa.com)

• Will need to be valid for
  • user.manager.aaa.com
  • user.standby.manager.aaa.com
  • update.manager.aaa.com
  • log.manager.aaa.com
• We recommend using "user.manager.aaa.com" as commonName for the cert, and then specify all four as Subject Alternative Name. In this way user.manager.aaa.com will work even for clients that does not support SAN.
  • Wild cards are supported, but will only cover 1 level of subdomains. (i.e *.manager.aaa.com will only cover user.manager.aaa.com, update.manager.aaa.com and log.manager.aaa.com, and not user.standby.manager.aaa.com)
• The certificate needs to be in x509 format. Intermediate CA certificates need to be appended to the server certificate file
• The private key must not have a passphrase
• You will need the entire certificate chain
• The certificate must be trusted by all appliances (i.e. signed by a CA trusted by Ubuntu 12.04 or manually added to the trusted set of certificates; see the Adding an SSL certificate to the trusted set section below).
• Be sure you also deploy the new certificate to any proxy that may also be serving the certificate.

How to deploy a new certificate on the manager/analyst/pinbox:

1. store the certificate as /etc/puppet/files/ssl-cert/user.manager.aaa.com.pem
   (if you have an intermediate certificate, you can combine it with your primary certificate into one single file and put here)
   • ​​​​​​​Be sure to make a backup of the original file incase you need to revert the process. 
   • File names in linux are case sensitive and this file need to be in all lower case 
2. store the private key as /etc/puppet/private/ssl-priv-key/user.manager.aaa.com.key
   • ​​​​​​​​​​​​​​​​​​​​​​​​​​​​Be sure to make a backup of the original file incase you need to revert the process.
   • File names in linux are case sensitive and this file need to be in all lower case
3. run lastline_apply_config. This step will also restart nginx.

Adding an SSL certificate to the trusted set

In order to add certificates to the set of certificates trusted by an appliance, the following steps need to be performed on all appliances:

1. Store the certificate in the /usr/local/share/ca-certificates/ directory, making sure the extension is .crt.
   • You will need to be sure to include the Intermediate and Root certificate (in separate files or a single crt file) as well to ensure the new certificate is trusted.
2. Execute update-ca-certificates

This step must be completed on all appliances (including the manager itself).