Hi, so thanks for the explenation. I understand: The caddy reverse proxy has two tls directives in the config. Both point to the same backend services but with different certs/keys. One with a default_servername take all SNI (Server Name Identifier) and one with a server name which is extracted from the CN field in the webserver_custom_cert.pem (If that's the case I would recommend having a config option to set the server name for the reverse proxy, the hostname is/can be different to the server name) - So i have to replace the webserver_custom_cert.pem with my own one - Reach the reverse_proxy with the SNI which equals to the CN and then the "custom cert" ist used for ssl. I've created a shell script to replace the cert. See below. But it seems that the reverse proxy needs a "reload" to use the new custom cert. But after click "save config" and reboot my "custom" cert is gone and replaced by the default one.(?) That's the state I will test this in a real ctrlX core to verify and exclude all possible effects which result from virtualization and post the results. Deploy Script #!/bin/sh
# Get a Token
TOKEN=$(curl -X POST -s \
-H "Content-Type: application/json" \
-d '{"name":"boschrexroth","password":"boschrexroth"}' \
https://$1/identity-manager/api/v1/auth/token | \
jq -r .access_token )
#echo $TOKEN
# Get the actual cert id
CERT=$(curl -X GET "https://$1/certificate-manager/api/v2/applications/webserver/certificates" \
-H "accept: application/json" \
-H "Authorization: Bearer $TOKEN" |\
jq -r '.[]|select(.name | contains("webserver_custom_cert"))| .id')
# echo $CERT
# Get the actual key id
KEY=$(curl -X GET "https://$1/certificate-manager/api/v2/applications/webserver/keys" -H "accept: application/json" -H "Authorization: Bearer $TOKEN" | \
jq -r '.[]|select(.name | contains("webserver_custom_key"))| .id')
#echo $KEY
# Delete the cert and key because we want to replace it
curl -X DELETE "https://$1/certificate-manager/api/v2/applications/webserver/certificates/$CERT" -H "accept: */*" -H "Authorization: Bearer $TOKEN"
curl -X DELETE "https://$1/certificate-manager/api/v2/applications/webserver/keys/$KEY" -H "accept: */*" -H "Authorization: Bearer $TOKEN"
# NEW KEY
# Generate new key and new cert (selfsigned)
# openssl req -x509 -newkey rsa:4096 -keyout webserver_custom_key.pem -out webserver_custom_cert.pem -days 365
# Decrypt the key
# openssl rsa -in webserver_custom_key.pem -out webserver_custom_key.pem
# curl -X POST "https://$1/certificate-manager/api/v2/applications/webserver/keys" \
# -H "accept: application/json" \
# -H "Content-Type: multipart/form-data" \
# -H "Authorization: Bearer $TOKEN" \
# -F "category=own" \
# -F "file=@webserver_custom_key.pem"
# Upload the new cert
curl -X POST "https://$1/certificate-manager/api/v2/applications/webserver/certificates" \
-H "accept: application/json" \
-H "Content-Type: multipart/form-data" \
-H "Authorization: Bearer $TOKEN" \
-F "category=own" \
-F "file=@webserver_custom_cert.pem"
... View more