These instructions are applicable to an On-Premises/Private Cloud deployment. If you wish to implement a proprietary or self-signed certificate for your Cloud deployment, please contact Teramind Support for assistance.
Introduction
By default, Teramind monitors encrypted HTTPS traffic by injecting a web proxy certificate into visited websites. This certificate is signed by the Quick Web Proxy root certificate, which acts as the Certificate Authority (CA) for all monitored domain certificates. These certificates are typically generated automatically upon the first successful connection to a domain.
However, organizations have the option to utilize a proprietary root CA certificate instead of the default Teramind version to satisfy internal security protocols.
Step 1: Create a Certificate
To generate a new root CA certificate and private key, run the following commands in your Terminal (adjust the parameters as needed):
openssl genrsa -out key.pem 2048
openssl req -x509 -new -nodes -key key.pem -sha256 -days 1826 -out mycert.crt -subj "/O=ACME Inc./OU=Security/CN=ACME CA"
Step 2: Update the Database Table
To configure a custom certificate for self-hosted instances, administrators must update specific keys within the Teramind database. Using a database administration tool such as pgAdmin, navigate to the kv_store table located within the tm_onsite > public schema. You must insert or update the following three keys with their corresponding values:
Field | Value* |
| The private key password (leave empty if no password was set). |
| The plaintext content from the key.pem file created in Step 1. |
| The plaintext content from the mycert.crt file created in Step 1. |
*Note: The Teramind server cannot validate these values at the time of entry. It is essential to ensure the data is correct and that the corresponding paths or files are present. If the Agent receives invalid or empty certificate data from the server, it will automatically revert to the default Quick Web Proxy certificate to ensure monitoring continuity.
Step 3: Restart or Reboot the Server
Once the database entries are saved, the changes will not take effect until the Teramind services are re-initialized. Run the following command in your terminal to restart the server:
sudo systemctl restart teramind
Alternatively, you can execute a full system reboot to ensure all components recognize the new certificate:
sudo reboot
Step 4: Verify the Certificate Activation
To confirm the new certificate is active, open a web browser on a monitored endpoint and visit an HTTPS website. Inspect the site's certificate details; it should now show as being issued by your proprietary root CA rather than the default "Quick Web Proxy".
