SSL/TLS is always enabled by default in FireDaemon Fusion via a self-signed digital certificate. FireDaemon Fusion allows you to install your own SSL/TLS server certificate.
Note: Unless SSL/TLS is explicitly disabled in the FireDaemon Fusion settings, accessing a FireDaemon Fusion web page must always be through HTTPS, e.g. https: //localhost:20604/
Note: The use of a self-signed certificate will cause web browsers to display a security alert message when viewing a FireDaemon Fusion page. If you do not want to see this security message, purchase a SSL/TLS certificate from a reputable CA or issue the server certificate using your own internal CA.
Important: If a passphrase is used to encrypt your SSL/TLS private .key file, please ensure that the passphrase is stored securely in a password manager such as Bitwarden. There is no way to recover a lost or forgotten SSL/TLS private key passphrase.
Generate a Self-Signed Certificate with FireDaemon OpenSSL
It's relatively straightforward to generate a self-signed certificate with FireDaemon OpenSSL. First, download and install FireDaemon OpenSSL. Then open an elevated command prompt and type:
:: This command generates your server's private key openssl genrsa -out server.key 4096 :: This command generates your server's certificate signing request or CSR :: When prompted, the Common Name is the FQDN of your FireDaemon Fusion server (e.g. fusion.firedamon.com) openssl req -new -key server.key -out server.csr -sha256 :: This command signs the certificate and sets the length of validity to 365 days openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt :: You will be left with three files: server.crt (certificate), server.key (private key), and server.csr (certificate signing request). :: You only need to keep server.crt and server.key
Then point your browser at FireDaemon Fusion (e.g. https://localhost:20604), login as an administrator, then navigate to Global Options -> Connectivity -> SSL/TLS. Then drag and drop the server.crt file, server.key files, enter the private key password and click save.
Generate a Self-Signed CA and CA Signed Certificate with FireDaemon OpenSSL
This procedure is similar to the above and is useful if you want to avoid certificate errors in your browser. Here's the steps:
:: Ensure you store your CA cert and private key securely in a password manager :: Ensure you record and keep your private key passphrases in a password manager :: Step 1: Generate the CA encrypted root key (requires passphrase) openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -aes256 -out ca-key.pem :: Generate the self signed CA cert openssl req -new -x509 -days 3650 -key ca-key.pem -out ca-cert.pem :: Create the server certificate private key for Fusion (requires passphrase) openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -aes256 -out server-key.pem :: Create the Fusion Certificate Signing Request openssl req -new -key server-key.pem -out server-csr.pem :: Sign the Fusion certificate with extensions openssl x509 -req -in server-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -days 365 -extfile server-ext.cnf :: Once all generated, log into Fusion then: :: Drag/drop ca-cert.pem to SSL/TLS CA Bundle :: Drag/drop server-cert.pem to SSL/TLS Certificate :: Drag/drop server-key.pem to SSL/TLS Private Key :: Enter your certificate passphrase into into the SSL/TLS Key Passphrase :: Click the floppy disk "Save" icon :: Then open an elevated command prompt restart Fusion net stop "firedaemon fusion" && net start "firedaemon fusion" :: Import ca-cert.pem into your browser :: For example Firefox: Hamburger menu -> Settings -> Search -> Certificate Manager -> Authorities -> Import :: Choose "Trust this CA to identify websites" :: For Edge and Chrome import the ca-cert.pem in the Trusted Root Certification Authorities store via Control Panel -> Manage Certificates :: Then point your browser at .. no more certificate errors https://localhost:20604
server-ext.cnf is a separate file contains the following directives. Adjust the alt names to your installation.
basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = fusion.firedaemon.com DNS.2 = localhost
Obtain or Purchase a Certificate via a Certificate Authority (CA)
Alternatively you can purchase a signed certificate from one of the many third-party certificate authorities (CAs) on the Internet. You will still need to generate a server certificate and private key per the methods described above. However, instead of self-signing or self-signing with your own self-signed CA, the CA will sign on your behalf. Some well-known examples of commercial CAs include DigiCert and Comodo. You can also obtain certificates for free from Let's Encrypt. Note that FireDaemon does not endorse any particular CA.
After obtaining or purchasing a signed certificate from a CA, follow the steps described above and install the CA Bundle, Certificate, Private Key and optionally type in the Private Key Passphrase.