CETAN logo
CETAN
Documentation
Download Start reading
Quick start Logging TLS Authentication IPFilter Safe cetan-rest-101 CETAN REST C++ API cetan-rest-201 Running the CETAN Server Inside Docker Download Support Contact

CETAN Documentation

This documentation covers the CETAN Web Application Server, logging, TLS, authentication, IP filtering, Safe secrets, Safe utilities, development environment setup, and building C++ REST web services using the CETAN REST API.

Contents

SSL/TLS configuration

CETAN can serve HTTPS traffic using TLS certificates configured in cetan_config.xml. You can use unencrypted or encrypted private keys, and store passphrases in Safe.

Certificate and private key requirements

  • Certificates must be in PEM format.
  • Both RSA and ECC certificates are supported.
  • The certificate bundle must include:
    • Server certificate
    • Intermediate CA certificates
    • Root CA certificate
  • Private keys may be encrypted (recommended) or unencrypted. Encrypted keys require a passphrase stored in Safe.

For production environments, always obtain certificates from a trusted Certificate Authority. Self‑signed certificates should be used only for testing.

Generating a self‑signed certificate (testing only)

From CETAN_SERVER, run:

bin/cetan gen-cert

Follow the prompts to enter certificate subject information. The command generates two files:

  • cert.pem — server certificate bundle
  • key.pem — private key (encrypted if you chose a passphrase)

Record the private key passphrase — it will be needed when configuring Safe.

Placing certificate and key files

CETAN only searches for certificate and key files inside: 

CETAN_SERVER/security

Place your cert.pem (or CA‑issued bundle) and key.pem in this directory.

Enabling HTTPS in cetan_config.xml

Set the protocol to HTTPS:

<protocol>https</protocol>

Specify the certificate bundle:

<ssl_cert_bundle_pem>cert.pem</ssl_cert_bundle_pem>

Only specify the file name — do not include the security/ directory path.

Configuring the private key

CETAN supports both encrypted and unencrypted private keys. Choose the method that matches your key type.

Method 1 — Encrypted private key (recommended)

Specify the encrypted key file:

<ssl_enc_key_pem>key.pem</ssl_enc_key_pem>

Reference the Safe entry containing the passphrase:

<safe_ssl_key_passphase>cetan_ssl_key_passphase</safe_ssl_key_passphase>

Create the Safe entry:

bin/safe add -n security/cetan.safe -e cetan_ssl_key_passphase

Enter:

  • The Safe password (same as server password)
  • The private key passphrase
  • Confirmation of the passphrase

You should see: Entry added

Method 2 — Unencrypted private key

Specify the Safe entry containing the raw private key:

<safe_ssl_cert_key>cetan_ssl_key</safe_ssl_cert_key>

Create the Safe entry:

bin/safe add -n security/cetan.safe -e cetan_ssl_key -infile security/key.pem

Enter the Safe password when prompted. You should see Entry added confirming the key was stored.

List Safe entries:

bin/safe list -n security/cetan.safe

Restarting the server

After updating cetan_config.xml, restart the CETAN server for TLS changes to take effect.

Verifying HTTPS

Once restarted, access your server using https://. If the certificate and key are configured correctly, CETAN will serve traffic securely over TLS.