# Installing and Configuring SSL Certificates
## Obtaining SSL Certificates
Sherpa AIServer supports HTTPS connections to ensure secure communication. This guide describes ways to obtain SSL certificates for use in the system.
### Recommendations for Obtaining Certificates
{% hint style="warning" %}
**Important:** Before obtaining certificates, consult your internal network administrator or your company's certification authority. Corporate certificates are usually provided by the IT department and ensure better integration with the existing security infrastructure.
{% endhint %}
If corporate certificates are not available, consider the following options for obtaining certificates for external domains in the sections below.
### Obtaining Corporate Certificates
If your organization has an internal certification authority (CA), contact your system administrator to obtain certificates. Provide them with the domain for the certificates and receive 2 files: the certificate (`.crt`) and the private key (`.key`). After receiving them, install them as follows:
```bash
# Create directories for certificates
mkdir -p ./oais/backend/config/certs/
mkdir -p ./embed-server/certs/
# For the main server (rename files as received)
cp your_certificate.crt ./oais/backend/config/certs/aiserver.crt
cp your_private.key ./oais/backend/config/certs/aiserver.key
```
💡 Comments on Obtaining Corporate Certificates
**mkdir -p ./oais/backend/config/certs/** - creates a directory for the main server certificates
* `-p` - creates parent directories as needed
**mkdir -p ./embed-server/certs/** - creates a directory for the embedding service certificates
**cp your\_certificate.crt ./oais/backend/config/certs/aiserver.crt** - copies the certificate **cp your\_private.key ./oais/backend/config/certs/aiserver.key** - copies the private key
**chmod 644 ./oais/backend/config/certs/\*.crt** - sets read permissions for the certificates **chmod 600 ./oais/backend/config/certs/\*.key** - sets permissions for the owner only on the keys
### Obtaining Trusted Certificates via Let's Encrypt
To obtain free trusted certificates from Let's Encrypt, use Certbot on a machine with internet access.
#### Installing Certbot
```bash
# On Ubuntu/Debian
sudo apt update
sudo apt install certbot
# On CentOS/RHEL
sudo yum install certbot
# On macOS (with Homebrew)
brew install certbot
```
💡 Comments on Installing Certbot
**Ubuntu/Debian:**
* `sudo apt update` - updates the package list
* `sudo apt install certbot` - installs Certbot
**CentOS/RHEL:**
* `sudo yum install certbot` - installs Certbot via yum
**macOS:**
* `brew install certbot` - installs Certbot via Homebrew
#### Obtaining a Certificate for a Domain
```bash
# Obtain a certificate for your domain (replace yourdomain.com with your domain)
sudo certbot certonly --standalone -d yourdomain.com
# Or for a wildcard certificate (requires DNS challenge)
sudo certbot certonly --manual --preferred-challenges=dns -d yourdomain.com -d *.yourdomain.com
```
💡 Comments on Obtaining a Certificate
**sudo certbot certonly --standalone -d yourdomain.com** - obtains a certificate for the domain
* `certonly` - obtains only certificates, without configuring the web server
* `--standalone` - starts a temporary web server for the HTTP-01 challenge
* `-d yourdomain.com` - specifies the domain for the certificate
\**sudo certbot certonly --manual --preferred-challenges=dns -d yourdomain.com -d .yourdomain.com* - obtains a wildcard certificate
* `--manual` - manual mode (requires DNS records)
* `--preferred-challenges=dns` - uses DNS-01 challenge
* `-d *.yourdomain.com` - wildcard domain
#### Location of Obtained Certificates
After successfully obtaining certificates, they will be located in the directory `/etc/letsencrypt/live/yourdomain.com/`:
```bash
# Check the contents of the directory with certificates
sudo ls -la /etc/letsencrypt/live/yourdomain.com/
# The output should contain:
# cert.pem (certificate)
# chain.pem (certificate chain)
# fullchain.pem (full chain)
# privkey.pem (private key)
```
💡 Comments on the Location of Certificates
**sudo ls -la /etc/letsencrypt/live/yourdomain.com/** - shows the contents of the directory with certificates
* `/etc/letsencrypt/live/` - standard Let's Encrypt directory
* `yourdomain.com/` - subdirectory for the domain
**Certificate files:**
* `cert.pem` - domain certificate
* `chain.pem` - chain of intermediate certificates
* `fullchain.pem` - full certificate with chain
* `privkey.pem` - private key
#### Transferring Certificates to the Target Machine
Copy the certificates to the machine where Sherpa AI Server will be installed:
```bash
# Create a directory for certificates on the target machine
mkdir -p ./oais/backend/config/certs/
# Copy the certificates (replace yourdomain.com with your domain)
sudo scp /etc/letsencrypt/live/yourdomain.com/fullchain.pem user@target-server:./oais/backend/config/certs/aiserver.crt
sudo scp /etc/letsencrypt/live/yourdomain.com/privkey.pem user@target-server:./oais/backend/config/certs/aiserver.key
# For the embedding service
mkdir -p ./embed-server/certs/
sudo scp /etc/letsencrypt/live/yourdomain.com/fullchain.pem user@target-server:./embed-server/certs/embed.crt
sudo scp /etc/letsencrypt/live/yourdomain.com/privkey.pem user@target-server:./embed-server/certs/embed.key
```
💡 Comments on Transferring Certificates
**mkdir -p ./oais/backend/config/certs/** - creates a directory for the main server certificates
**sudo scp /etc/letsencrypt/live/yourdomain.com/fullchain.pem user\@target-server:./oais/backend/config/certs/aiserver.crt** - copies the certificate
* `scp` - secure copy
* `fullchain.pem` - full certificate with chain
* Renamed to `aiserver.crt`
**sudo scp /etc/letsencrypt/live/yourdomain.com/privkey.pem user\@target-server:./oais/backend/config/certs/aiserver.key** - copies the private key
* `privkey.pem` - private key
* Renamed to `aiserver.key`
**Similarly for the embedding service:**
* Directory: `./embed-server/certs/`
* File names: `embed.crt` and `embed.key`
### Creating Self-Signed Certificates (for Testing)
{% hint style="warning" %}
**WARNING:** Self-signed certificates are not trusted and will trigger security warnings in browsers. Use this method only for testing or in isolated networks!
{% endhint %}
#### Creating a Self-Signed Certificate with OpenSSL
```bash
# Create a directory for certificates
mkdir -p ./oais/backend/config/certs/
# Generate a private key
openssl genrsa -out ./oais/backend/config/certs/aiserver.key 2048
# Create a self-signed certificate
openssl req -new -x509 -key ./oais/backend/config/certs/aiserver.key -out ./oais/backend/config/certs/aiserver.crt -days 365 -subj "/C=RU/ST=State/L=City/O=Organization/CN=aiserver.sherparpa.ru"
# For the embedding service
mkdir -p ./embed-server/certs/
openssl genrsa -out ./embed-server/certs/embed.key 2048
openssl req -new -x509 -key ./embed-server/certs/embed.key -out ./embed-server/certs/embed.crt -days 365 -subj "/C=RU/ST=State/L=City/O=Organization/CN=embed.sherparpa.ru"
```
💡 Comments on Creating Self-Signed Certificates
**mkdir -p ./oais/backend/config/certs/** - creates a directory for certificates
**openssl genrsa -out ./oais/backend/config/certs/aiserver.key 2048** - generates a private key
* `genrsa` - generates an RSA key
* `-out file.key` - output file
* `2048` - key length in bits
**openssl req -new -x509 -key keyfile.key -out certfile.crt -days 365 -subj "/C=RU/..."** - creates a self-signed certificate
* `req -new -x509` - creates a new self-signed certificate
* `-key keyfile.key` - uses the specified private key
* `-out certfile.crt` - output certificate file
* `-days 365` - validity period (1 year)
* `-subj "/C=RU/ST=State/L=City/O=Organization/CN=domain.com"` - subject information
#### Verifying Created Certificates
```bash
# Check certificate information
openssl x509 -in ./oais/backend/config/certs/aiserver.crt -text -noout
# Check key and certificate match
openssl rsa -in ./oais/backend/config/certs/aiserver.key -check
```
💡 Comments on Verifying Certificates
**openssl x509 -in ./oais/backend/config/certs/aiserver.crt -text -noout** - shows information about the certificate
* `x509` - command for working with X.509 certificates
* `-in file.crt` - input certificate file
* `-text` - outputs textual information
* `-noout` - does not output the encoded certificate
**openssl rsa -in ./oais/backend/config/certs/aiserver.key -check** - checks the private key
* `rsa` - command for working with RSA keys
* `-in file.key` - input key file
* `-check` - checks the validity of the key
### Setting Correct Permissions
After copying or creating certificates, set the correct permissions:
```bash
# For the main server
chmod 644 ./oais/backend/config/certs/*.crt
chmod 600 ./oais/backend/config/certs/*.key
# For the embedding service
chmod 644 ./embed-server/certs/*.crt
chmod 600 ./embed-server/certs/*.key
```
💡 Comments on Setting Permissions
**chmod 644 ./oais/backend/config/certs/\*.crt** - sets permissions on the certificates
* `644` - rw-r--r-- (read for all, write for owner only)
* `*.crt` - all certificate files
**chmod 600 ./oais/backend/config/certs/\*.key** - sets permissions on the private keys
* `600` - rw------- (read and write for owner only)
* `*.key` - all private key files
**Permission Requirements:**
* `.crt` files: 644 (read for all, write for owner)
* `.key` files: 600 (read and write for owner only)
### Security Recommendations
1. **Always use trusted certificates** for production environments
2. **Regularly renew certificates** before they expire
3. **Store private keys in a secure location** with restricted access
4. **Monitor certificate expiration dates** and set up alerts
5. **Use strong cipher suites** in server configuration
After obtaining and configuring certificates using any of the described methods, return to the main guide for installing Sherpa AI Server.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.sherparpa.ru/en/sherpa-ai/sherpa-ai-server/ustanovka-sherpa-ai-server/ustanovka-i-nastroika-ssl-sertifikatov.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.