📖 ~1 min read
Table of contents
Symptom & Impact
Browsers warn about untrusted certificate when connecting to the Cockpit console on port 9090.
Environment & Reproduction
Default install uses an automatically generated self-signed certificate not trusted by clients.
Root Cause Analysis
Cockpit reads PEM files from /etc/cockpit/ws-certs.d; without a trusted cert browsers reject the chain.
Quick Triage
List files in /etc/cockpit/ws-certs.d and confirm cockpit-tls service status.
Step-by-Step Diagnosis
Run: ls -l /etc/cockpit/ws-certs.d; openssl x509 -in -noout -issuer -subject -dates.
Solution – Primary Fix
Place a CA-signed PEM (key+cert) in /etc/cockpit/ws-certs.d/0-custom.cert and restart cockpit.socket.
Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.
Solution – Alternative Approaches
Use an internal PKI and deploy certificates via certbot or step-ca with automated renewal.
Verification & Acceptance Criteria
Browser shows a green padlock and openssl s_client -connect host:9090 reports a trusted chain.
Rollback Plan
Move custom certs out of ws-certs.d to revert to the auto-generated self-signed certificate.
Prevention & Hardening
Renew certificates 30 days before expiry and monitor cockpit-tls journal logs for errors.
Related Errors & Cross-Refs
Related to expired certificates, hostname mismatches, and intermediate chain issues.
Related tutorial: View the step-by-step tutorial for centos-stream-10.
View all centos-stream-10 tutorials on the Tutorials Hub →
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
cockpit-ws(8) man page and Red Hat Cockpit configuration docs.
Need Expert Help?
If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.
