Using real (not self-signed) certificates


@phoenixmage whilst this will load your cert and expose it on port 443, you will have difficulty getting your devices to connect since they will not trust the CA which signed that certificate.

I will have to have a think about this mechanism; there is a way to do it, but I need to consult some people internally.


@richbayliss I am sure there would be a way to inject it into the BalenaOS image, I am just not sure which partition it has to happen in. I will experiment and see.


@richbayliss So if you add the base64 encoded CA cert to balenaRootCA in /mnt/bot/config.json and remove the resin-supervisor container and systemctl start resin-supervisor it will use the new root CA


@phoenixmage Hey, just a quick update for you. I have a working solution for this scenario and it is pending a PR which should happen this week. When it does I will update you here.

Basically the current VPN trust configuration is tied to the BALENA_ROOT_CA and so while you can change this value, you would also need to issue a new VPN Sub-CA and server cert. So I am PRing a change to remove the trust chain, meaning you can change the BALENA_ROOT_CA value in your configuration to match your enterprise CA and still keep a working VPN. I have tested it myself and it worked nicely. You will also be able to make your own cert-provider image to load in your server’s cert and then renew it/reload the HAproxy config without changing the HAproxy container.

1 Like

@richbayliss any update on this? I see its merged into master but I can’t find any instructions on how to use is. Using the quickstart script with the -c flag still results in self signed certs being generated.



@richbayliss nevermind found the issue. Changes work perfectly, thanks for your efforts on this one as I think it really simplifies the deployment and usage of openBalena in a secure manner.

For anyone else trying this out add the -c flag to quickstart script when setting up your openBalena server.

If you have any issues tail to cert-provider containers logs. In my case it was indicated DNS resolution failure for the DNS name I provided to quickstart. This was due to delay in propagation of DNS changes I had made right prior to start openBalena. After waiting for DNS name to propagate and restarting openBalena environment it all works now.

The only other questions I had are in terms of certificate renewal for both the openBalena server and devices. Is that automated or is there some sort of process required.



Hey @dash, glad it’s working for you - the renewal should be automatic, but please highlight if it isn’t :+1:

1 Like