Skip to main content

HTTPS and SSL Certificates

When Xylok starts, it loads whatever PEM-format certificate and private key file are in /opt/xylok/certs. These files must be called cert.crt and key.key, for the certificate and private key respectively. If desired, these files can be replaced by your own certificates. After replacing these certificates, restart Xylok to apply.

Default Certificates

If there is no existing cert.crt and key.key when it starts, Xylok generates its own local Certificate Authority (CA) certificate and a server certificate via that CA for the XYLOK_HOST domain. If XYLOK_HOST isn't set, it will default to xylok.local. To change domains to something other than xylok.local, set XYLOK_HOST in /etc/xylok.conf, then restart Xylok.

Browser Trust

The use of a separate CA allows for easier trusting of the Xylok certificates. To do so:

  1. Set a domain name entry for the Xylok host with whatever you have as XYLOK_HOST. a. If you have a local DNS server, use that b. Otherwise, edit the system you're accessing Xylok from's host file. The exact details vary between Windows and Linux.
  2. Download your local installation's CA certificate: a. Go to your installation's /docs/ folder. This might be https://xylok.local/docs/ b. Click the "Xylok Certificate Authority certificate" link on that page
  3. Add CA certificate to the root trust store of your browser. Details vary by browser and OS:
  4. Open a new tab in your browser and visit your Xylok domain again. This time it should appear as trusted.

Custom Certificates

You are free to replace the certificates with custom certs if needed. To do so:

  1. Remove all files in /opt/xylok/certs
  2. Place new certificate in PEM format at /opt/xylok/certs/cert.crt
  3. Place new private key in PEM format at /opt/xylok/certs/key.key
  4. Restart Xylok: systemctl restart xylok

Old Installations

Prior to v2022.07.1, Xylok generated self-signed certificates without generating a CA certificate. If desired, you can delete the existing certificate and key files, then restart Xylok to force the new version of certificates to be generated.