Enable HTTPS (TLS/SSL) for the Angelfish Web Server

Creation date: 4/18/2022 10:49 PM    Updated: 10/23/2024 4:52 PM
Angelfish requires a minimum of TLS 1.2 - SSL is vulnerable and is not supported.

However, we use the term "SSL" in Angelfish documentation as a general term for the method of encrypting transmitted data.

Activating HTTPS in Angelfish is a simple process. Here's what needs to happen:
  1. In agf.conf, set the "use_ssl" variable to 1: (default value is 0)
  2. Put the certificate file(s) in /certs/ underneath the Angelfish Installation Directory
  3. Stop & start Angelfish
  4. Connect to the UI - use https:// in the address bar

Certificate Notes

Angelfish uses the PEM format for SSL certificates - PEM is the standard format for OpenSSL and many other SSL tools. If your organization requires trusted certificates from a Certificate Authority (CA), you need to use certificates in .pem format.


If you apply a self-signed certificate to Angelfish, your web browser may show a "not secure" or "not trusted" message.  This message can likely be ignored. Please verify your organization's SSL policy with your IT Security team before self-signing a certificate.

The instructions in this help article use OpenSSL to self-sign certificates.


Enable SSL on Windows


On Windows, Angelfish expects a single file named server-cert.pem that contains BOTH the key and the certificate.  This file needs to be placed in the \certs\ directory (underneath the Angelfish installation directory) 

Also on Windows, Angelfish includes a stand-alone OpenSSL binary as part of its installation. You can use this binary to set up your own self-signed key and certificate, or create a key and a Certificate Signing Request (CSR) in order to obtain a signed certificate from a Certificate Authority (CA).

The below commands assume Angelfish is installed to C:\Angelfish\.  If Angelfish is installed elsewhere, please update the commands with the correct path.

The openssl.exe binary is located under the Angelfish installation directory, in \inc\ssl\bin\.

To self-sign a certificate, please perform the following commands from a command line:

1) Specify the location of the OpenSSL config file:

set OPENSSL_CONF=c:\angelfish\inc\ssl\config\openssl.cnf

2) Create a PEM file that contains a key and certificate:

openssl.exe req -new -x509 -days 1000 -nodes -out C:\Angelfish\certs\server-cert.pem -keyout C:\Angelfish\certs\server-cert.pem

The openssl.exe binary is located under the Angelfish installation directory, in \inc\ssl\bin\ - you can either run the command from the directory, or declare the path to openssl.exe in the command.

Note: the '-days' parameter specifies the number of days until the certificate expires, and can be edited to whatever length you would like.

After entering the above command, you will be prompted to enter CSR details.  The only required value is:

Common Name: The FQDN (fully-qualified domain name) you want to secure with the certificate.  Enter the full hostname (e.g. www.example.com) or an IP address.

You can fill out the rest of the fields if you like (Country, State, Organization Name, etc.) or just press enter for the default value.

You are not required to enter a password or passphrase, if prompted. This optional field is for applying additional security to your key pair.

Once the binary completes, the server-cert.pem file will be created in the location specified by the -keyout flag. Once you edit agf.conf (set use_ssl=1) and stop/start Angelfish via the start menu shortcuts, you will be able to access the Angelfish UI via https on the same TCP port. For example:



Enable SSL on Linux


On Linux, Angelfish looks for 2 files in the \certs\ directory: server-key.pem and server-cert.pem.

The below commands assume Angelfish is installed to /usr/local/agfs/.  If Angelfish is installed elsewhere, please update the commands with the correct path.

Unlike Windows, the Linux version of Angelfish does not include the openssl binary.  If you have OpenSSL installed and want to self-sign a certificate, run the below command. If Angelfish is installed somewhere other than /usr/local/agfs/, update the -out and -keyout flags with the correct location:

openssl req -new -x509 -days 1000 -nodes -out /usr/local/agfs/certs/server-cert.pem -keyout /usr/local/agfs/certs/server-key.pem

Note: the '-days' parameter specifies the number of days until the certificate expires, and can be edited to whatever length you would like.

After entering the above command, you will be prompted to enter CSR details.  The only required value is:

Common Name: The FQDN (fully-qualified domain name) you want to secure with the certificate.  Enter the full hostname (e.g. www.example.com) or an IP address.

You can fill out the rest of the fields if you like (Country, State, Organization Name, etc.) or just press enter for the default value.

You are not required to enter a password or passphrase, if prompted. This optional field is for applying additional security to your key pair.

Once the binary completes, the .pem files will be created in the location specified by the -keyout flag. Once you edit agf.conf (set use_ssl=1) and run agfsctl --restart, you will be able to access the Angelfish UI via https on the same TCP port.  For example: