Use externally-signed certificates

Estimated reading time: 1 minute

All UCP services are exposed using HTTPS, to ensure all communications between clients and UCP are encrypted. By default this is done using self-signed TLS certificates that are not trusted by client tools like web browsers. So when you try to access UCP, your browser will warn that it doesn’t trust UCP or that UCP has an invalid certificate.

invalid certificate

The same happens with other client tools.

$ curl https://ucp.example.org

SSL certificate problem: Invalid certificate chain

You can configure UCP to use your own TLS certificates, so that it is automatically trusted by your browser and client tools.

To ensure minimal impact to your business, you should plan for this change to happen outside business peak hours. Your applications will continue running normally, but existing UCP client certificates will become invalid, so users will have to download new ones to access UCP from the CLI.

Customize the UCP TLS certificates

To configure UCP to use your own TLS certificates and keys, go to the UCP web UI, navigate to the Admin Settings page, and click Certificates.

Upload your certificates and keys:

  • A ca.pem file with the root CA public certificate.
  • A cert.pem file with the TLS certificate and any intermediate CA public certificates. This certificate should also have SANs for all addresses used to access UCP, including load balancers.
  • A key.pem file with TLS private key.

Finally, click Update for the changes to take effect.

After replacing the TLS certificates your users won’t be able to authenticate with their old client certificate bundles. Ask your users to go to the UCP web UI and get new client certificate bundles.

If you deployed Docker Trusted Registry, you’ll also need to reconfigure it to trust the new UCP TLS certificates. Learn how to configure DTR.

Where to go next

chat icon Feedback? Suggestions? Can't find something in the docs?
Edit this page Request docs changes Get support
Rate this page: