Managing SSL Certificates
TunnelHound uses SSL for secure communication between clients and the TunnelHound appliance. TunnelHound supports three different kinds of SSL certificates:
- Self-signed – An auto-generated self-signed certificate. Used for bootstrapping
- Let’s Encrypt – An auto-generated certificate signed by an automated certificate authority
- Custom – A completely custom user-defined certificate
Self-signed
By default, TunnelHound uses an auto-generated self-signed certificate. This certificate is perfectly safe and provides strong encryption, but it will cause browsers to display a security warning that your users may find distracting.
If you want to use a self-signed certificate, you don’t need to do anything. TunnelHound will automatically generate one on its initial launch and keep it up-to-date.
Let’s Encrypt
Let’s Encrypt is a free, automated, and open certificate authority provided by the Internet Security Research Group. Let’s Encrypt uses the ACME protocol to automatically provision a certificate for your publicly accessible website. Because Let’s Encrypt uses the a challenge to verify that you own the website your appliance runs on, you will need to set up your appliance to be accessible from the internet via a proper domain name. Learn more about how Let’s Encrypt works here.
Let’s Encrypt certificates are fully trusted by all major browsers, so this is a good choice if you simply want to get a cryptographically secure certificate that your user’s browsers will trust.
If you have everything set up, enabling Let’s Encrypt is easy. Follow the Let’s Encrypt Guide.
Custom
Some advanced users may want to provision their own SSL certificates from their CA of choice. This is especially useful if you want to have Extended Validation (EV) certificates or if your company policy requires you to use a particular CA.
Custom certificates are available with our paid plans.
In these situations, TunnelHound allows you to upload a custom certificate and private key in PEM format.
Follow the Custom SSL guide to set up a custom certificate.