Installing a Custom SSL Certificate

By default, Sandfly generates a new certificate authority and certificate for the HTTPS web service. Optionally, during installation, you may tell the installer to generate a real trusted certificate using Let's Encrypt.

However, should you need to use an SSL certificate that is trusted in your environment and Let's Encrypt is not an option (for example, if the Sandfly web server is not internet-accessible or you cannot create public DNS records to allow Let's Encrypt to issue a certificate), you also have the option to install a SSL/TLS certificate in Sandfly after the installation process has been completed or at a later time.

Required Files

Two files are needed to install a certificate:

Certificate - The cert.pem file must contain the server certificate and (if necessary) the intermediate chain certificate(s).

The server certificate must be the first certificate in the cert.pem file. Each certificate (the server certificate and the intermediate certificates) must be PEM-encoded and include the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" delimiters.

  • Intermediate Certificate Chain - (Optional: if you are installing your own self-signed certificate, there is no intermediate chain.) The intermediate chain is a single file that contains one or more intermediate certificates, one after the other.
  • If you have your server certificate in certificate.pem and your intermediate certificates in cachain.pem, you can create the cert.pem file by concatenating them together in the correct order:
    • cat certificate.pem cachain.pem > cert.pem
  • The complete cert.pem file should look like (without leading spaces):
    -----END CERTIFICATE-----
     -----END CERTIFICATE-----
    ... (possibly more certificates)

Private key - The privatekey.pem file must be a PEM-encoded, unecrypted private key file. It should look something like (without leading spaces):



To use your own SSL/TLS certificate for the Sandfly UI and API services, place the certificate and private key files in the sandfly-setup/setup/setup_data/server_ssl_cert/ directory, ensuring that they are named cert.pem and privatekey.pem respectively.

If one or both files are present in this directory, the corresponding values in config.server.json will be ignored (server.ssl.server.cert_signed and server.ssl.server.private_key_signed).

If the sandfly server is already running, stop it with the command docker stop sandfly-server (the postgres container does not need to be restarted for the certificate change to take effect). Start the Sandfly service with the script, and access the Sandfly server from your web browser to confirm the new certificate is in use.