During the installation, Language Weaver Edge will auto-generate random self-signed TLS certificates to use for these purposes.
The TLS certificate and a private key are located in the installation folder:

• Linux: /opt/sdl/ets/auth/tls/
• Windows:  C:\Program Files\SDL\SDL ETS\auth\tls

In those folders, there are two subfolders:

• user-provided-certs/
  • On the Controller host, this certificate, if available, will be used by the web-server (443/8000), REST API server (8001), host-agent (4637)
  • If not available, the auto-generated-cert will be used for the services above.
• auto-generated-certs/
  • If no user-provided-certs/ have been supplied by the user (e.g. during install or post-configuration), the auto-generated-certs will be used for all the services above.
  • On the Controller, the RabbitMQ server (5673) will use the auto-generated-cert (even if a user-provided-cert) is available.

Changing to user provided certs

If the customer requires a custom certificate, it has to be signed from a trusted root certificate authority

The customer should generate a CA certificate request and get it signed by a trusted CA authority of their preference - this is a step they need to do on customer side. Once the customer obtains the signed CA certificate in PEM format, proceed below on each Language Weaver Edge host.

1. Stop the Language Weaver Edge service
2. Backup the /opt/sdl/ets/auth/tls/ and /opt/sdl/ets/conf/ folders.
3. On all the Language Weaver Edge hosts:
   • Copy the TLS certificate (cert.pem) and private key (key.pem) files to  /opt/sdl/ets/auth/tls/user-generated-certs/  folder .
   • Edit the file /opt/sdl/ets/conf/main-config.json and update the json entries:

auth.tls.certificatePath: /opt/sdl/ets/auth/tls/user-generated-certs/cert.pem
auth.tls.privateKeyPath: /opt/sdl/ets/auth/tls/user-generated-certs/key.pem

1. On the Language Weaver Edge Controller host, update the RabbitMQ configuration to use the new CA cert.
   • Edit the file /opt/sdl/ets/conf/rabbitmq.conf and edit these entries to map to the user-provided-certs:

ssl_options.cacertfile = /opt/sdl/ets/auth/tls/user-generated-certs/cert.pem
ssl_options.certfile = /opt/sdl/ets/auth/tls/user-generated-certs/cert.pem
ssl_options.keyfile = /opt/sdl/ets/auth/tls/user-generated-certs/key.pem

• If the private key is encrypted with a password, you will also need to update the Language Weaver Edge TLS configuration via API call providing the password (using endpoint /api/v2/system/tls)
  • A sample curl command to update your TLS configuration is shown below:

    curl " https://controller-host:8001/api/v2/system/tls" \
        -X PUT \
        -u u_jsmith@example.com_u0VmztKJrwqf: \
        -d enabled="true" \
        --data-urlencode privateKeyPassword="foobar" \
        --data-urlencode privateKeyPath="/opt/sdl/ets/auth/tls/default/key-new.pem"

  • More information on how to use the API to update your Language Weaver Edge settings can be found in the API documentation available with your installation

Troubleshooting :   

• Check to see if your Key is in PEM format:

• Check to see if your Certificate is in PEM format:

• check is a private key is matching certificate by running 

• view content of Certificate in PEM format