Enable HTTPS (TLS/SSL) for the Angelfish Web Server

Activating HTTPS in Angelfish is a simple process. Here's what needs to happen:

Angelfish uses the PEM format for SSL certificates - PEM is the standard format for OpenSSL and many other SSL tools. If your organization requires trusted certificates from a Certificate Authority (CA), you need to use certificates in .pem format.

Outbound Link: Stack Overflow: How to get .pem file from .key and .crt files?

If you apply a self-signed certificate to Angelfish, your web browser may show a "not secure" or "not trusted" message.  This message can likely be ignored. Please verify your organization's SSL policy with your IT Security team before self-signing a certificate.

The instructions in this help article use OpenSSL to self-sign certificates.

On Windows, Angelfish expects a single file named server-cert.pem that contains BOTH the key and the certificate.  This file needs to be placed in the \certs\ directory (underneath the Angelfish installation directory) 

Also on Windows, Angelfish includes a stand-alone OpenSSL binary as part of its installation. You can use this binary to set up your own self-signed key and certificate, or create a key and a Certificate Signing Request (CSR) in order to obtain a signed certificate from a Certificate Authority (CA).

The below commands assume Angelfish is installed to C:\Angelfish\.  If Angelfish is installed elsewhere, please update the commands with the correct path.

The openssl.exe binary is located under the Angelfish installation directory, in \inc\ssl\bin\.

To self-sign a certificate, please perform the following commands from a command line:

Note: the '-days' parameter specifies the number of days until the certificate expires, and can be edited to whatever length you would like.

After entering the above command, you will be prompted to enter CSR details.  The only required value is:

You can fill out the rest of the fields if you like (Country, State, Organization Name, etc.) or just press enter for the default value.

You are not required to enter a password or passphrase, if prompted. This optional field is for applying additional security to your key pair.

Once the binary completes, the server-cert.pem file will be created in the location specified by the -keyout flag. Once you edit agf.conf (set use_ssl=1) and stop/start Angelfish via the start menu shortcuts, you will be able to access the Angelfish UI via https on the same TCP port. For example:

Old URL: http://angelfish.corp.local:9000

New URL: https://angelfish.corp.local:9000

On Linux, Angelfish looks for 2 files in the \certs\ directory: server-key.pem and server-cert.pem.

The below commands assume Angelfish is installed to /usr/local/agfs/.  If Angelfish is installed elsewhere, please update the commands with the correct path.

Unlike Windows, the Linux version of Angelfish does not include the openssl binary.  If you have OpenSSL installed and want to self-sign a certificate, run the below command. If Angelfish is installed somewhere other than /usr/local/agfs/, update the -out and -keyout flags with the correct location:

Note: the '-days' parameter specifies the number of days until the certificate expires, and can be edited to whatever length you would like.

Once the binary completes, the .pem files will be created in the location specified by the -keyout flag. Once you edit agf.conf (set use_ssl=1) and run agfsctl --restart, you will be able to access the Angelfish UI via https on the same TCP port.  For example:

Old URL: http://angelfish.corp.local:9000

New URL: https://angelfish.corp.local:9000