cockpit-tls

Serve HTTP requests to a specific port instead of port 9090

$ cockpit-tls --port [port]

$ cockpit-tls --help

cockpit-tls [options...] [hostname]...

-h, --help
    Display help and exit

--cert FILE
    Write certificate to the specified PEM file

--key FILE
    Write private key to the specified PEM file

--no-default-name
    Do not automatically add localhost, hostname, and IP as SANs

--no-certutil
    Skip automatic installation with cockpit-certutil

--replace
    Replace any existing Cockpit TLS certificate

The cockpit-tls command is a utility provided by the Cockpit web-based server administration tool for Linux systems. It simplifies the creation of self-signed TLS certificates tailored for securing Cockpit's web interface over HTTPS.

Cockpit-tls automatically generates a certificate with the specified hostname as the Common Name (CN) and includes Subject Alternative Names (SANs) for localhost, the system's hostname, primary IP address, and any additional provided names. The certificate is valid for 10 years and uses strong elliptic curve cryptography (P-384).

By default, it outputs the certificate and private key to stdout in PEM format. With the --cert and --key options, files can be specified. If cockpit-certutil is available (from cockpit-packagekit or cockpit-certificates), it automatically installs the certificate system-wide for Cockpit services, enabling seamless HTTPS access without manual configuration.

This tool is ideal for quick setup in testing, development, or internal environments where trusted CA certificates are unavailable. It avoids common pitfalls like missing SANs that cause browser warnings. For production, use certificates from a trusted CA.

Self-signed certificates trigger browser security warnings; not recommended for production. Requires cockpit-certutil for automatic installation. Multiple hostnames must be listed as separate arguments.

cockpit-tls example.com # Generates and installs cert for example.com
cockpit-tls --cert=/etc/cockpit/ws-certs.d/server.crt --key=/etc/cockpit/ws-certs.d/server.key myhost # Custom file paths

Uses ECDSA P-384 key (384-bit); SHA-256 signature; SANs include provided names plus defaults unless --no-default-name

Introduced in Cockpit 232 (2021) to streamline TLS setup. Cockpit project started in 2014 by Red Hat and others; cockpit-tls evolved from manual cert generation scripts to address user feedback on secure deployment.

cockpit(1), cockpit-certutil(1), openssl(1)