TLS Certificates

WARNING: You should generate and use a TLS certificate signed by a trusted Certificate Authority

Versions later than 0.6.8.BETA will automatically generate a new UNTRUSTED and self-signed certificate when the server is started if a TLS certificate and TLS key are not provided.

To facilitate ease of use, a TLS X.509 private and public certificate is distributed with Merlin for versions less than 0.6.8.BETA. This allowed a user to start using Merlin right away. However, this key is widely distributed and is considered public knowledge. You should generate your own certificates and replace the default certificates that ship with Merlin. The default location for the certificates is the data/x509 directory. The openssl command can be used from a Linux system to generate a key pair.

The following message is presented to alert the user that the distributed testing public key is in use:

Merlin» [!] Insecure publicly distributed Merlin x.509 testing certificate in use for https server on 127.0.0.1:443