4.1.2. Enabling HTTPS

By default, the communication between a product and an OPSWAT Central Management server is not encrypted. If HTTPS is set, the server can enforce secure connections between clients and the server on SSL channels. This section describes how to enable SSL for OPSWAT Central Management.


Please be aware that enabling HTTPS on the OPSWAT Central Management server can cause devices that have installed OPSWAT Client to be unable to connect to this server. These devices require reinstallation of OPSWAT Client.


In order to enable HTTPS on OPSWAT Central Management server, a trusted certificate issued by a certificate authority provider or a self-signed certificate must be provided.

See the section below for information on how to install a self-signed server certificate if a trusted certificate is not provided.

Enabling HTTPS for OPSWAT Central Management

Requirement: You need to have a certificate and key file of your certificate on your server, for example, C:\OCM_Keys\your.crt and C:\OCM_Keys\your.key .

To enable HTTPS on OPSWAT Central Management server:

  1. Go to nginx configuration folder under OPSWAT Central Management installation folder (e.g., C:\Program Files\OPSWAT\Central\nginx\conf for Windows or /opt/ocm/nginx/conf for RHEL/Ubuntu).

  2. The code block below should be uncommented (by removing # at the beginning of each line) in the ssl.conf file. Additionally, please make the following replacements.

    1. <PATH_TO_CERT_FILE> with a path to your certificate file, for example "C:\OCM_Keys\your.crt> C:\OCM_Keys\your.crt"

    2. <PATH_TO_KEY_FILE> with a path to your key file, for example: "C:\OCM_Keys\your.key"

ssl on;
ssl_certificate <PATH_TO_CERT_FILE>;
ssl_certificate_key <PATH_TO_KEY_FILE>;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
error_page 497 https://$host:$server_port$request_uri;

On Windows system, using the standard Windows path separator backslash '\' may have unexpected results if the file path contains directories or file names that start with certain special characters such as '\n' or '\t'. The reason is that these characters are interpreted as special characters by Nginx.

For example, the following directive:

ssl_certificate "C:\Program Files\OPSWAT\Metadefender Centralmgmt\nginx\your.crt";

will be interpreted by Nginx as:

ssl_certificate "C:\Program Files\OPSWAT\Metadefender Centralmgmt

As a workaround, instead of backslash '\', please use:

  1. Forward slash '/' or

  2. Double backslash '\\'.

Such as:

ssl_certificate "C:\\Program Files\\OPSWAT\\Metadefender Centralmgmt\\nginx\\your.crt";

3. Restart the OPSWAT Central Management by clicking the Restart button on the OPSWAT Central Management tray icon.

4. After the service is restarted, open the OPSWAT Central Management console UI, for example https://localhost:9000, to check whether the console can be loaded successfully

5. Update Device API setting to utilize HTTPS. Go to Server Configuration > Device API and modify the Server URL to match your certificate.

For example, if your certificate is registered for ocm.example.com and the interface port that is configured for OPSWAT Central Management is 9000, the correct server URL is https://ocm.example.com:9000

Select SAVE to confirm any changes.


OPSWAT Central Management below version 7.2.0 keeps the HTTPS configuration in nginx.conf. If you are upgrading from one such version to 7.2.0 or above, the setup should automatically generate ssl.conf from your modified nginx.conf file and reset nginx.conf to its default state. In case the generating process failed and the default ssl.conf is installed instead, please follow the instructions below to retrieve your HTTPS configuration.

  1. Navigate to nginx.conf's backup folder (located in C:\ProgramData\OPSWAT\Central\bak by default).

  2. Locate the HTTPS configuration block as shown above.

  3. Copy the configuration block to the active ssl.conf file (located in C:\Program Files\OPSWAT\Central\nginx\conf by default).

  4. Restart OPSWAT Central Management for the new configuration to take effect.

Adding product instances with HTTPS configuration

Adding a product instance configured for HTTPS connection may require adding its root certificates to OPSWAT Central Management's Java Runtime Environment keystore. Please follow the instructions below to add the certificate.

  1. Locate the root certificate file (.crt) for the product instance.

  2. From an elevated command-line interface, enter the command:

    1. For Windows

      "<Java path>\bin\keytool" -importcert -keystore "<Java path>\lib\security\cacerts" -storepass <password> -alias "<alias> -file "<rootCA.crt path>"


      "C:\Program Files\Java\jre1.8.0_261\bin\keytool" -importcert -keystore "C:\Program Files\Java\jre1.8.0_261\lib\security\cacerts" -storepass changeit -alias "ocmCA" -file "C:\Users\admin\Downloads\ocm.crt"
    2. For RHEL/Ubuntu:

      "<Java path>/keytool" -importcert -keystore "<Java path>/lib/security/cacerts" -storepass <password> -alias "<alias> -file "<rootCA.crt path>"


      "/usr/share/jre1.8.0_261/bin/keytool" -importcert -keystore "/usr/share/jre1.8.0_261/lib/security/cacerts" -storepass changeit -alias "ocmCA" -file "/etc/somewhere/ocm.crt"
      1. <Java path>: The path of the Java installation that OPSWAT Central Management is using. Please note that for JDK, the cacerts file is located at <JDK path>/jre/lib/security/cacerts instead for certain distributions.

      2. <password>: The keystore's password.

      3. <alias>: The certificate's alias.

      4. <rootCA.crt path>: The path to the product instance's root certificate file.

  3. Restart OPSWAT Central Management for the changes to take effect.

Enabling TLSv1.3 support when upgrading from OPSWAT Central Management version 7.11.0 or lower

For users upgrading from OPSWAT Central Management version 7.11.0 or lower, TLSv1.3 support must be manually enabled. Please follow the guideline below:

  1. Navigate to ssl.conf (e.g., C:\Program Files\OPSWAT\Central\nginx\conf for Windows or /opt/ocm/nginx/conf for RHEL/Ubuntu).

  2. Modify ssl_protocols to add TLSv1.3 support, such as in the snippet below.

    ssl_protocols TLSv1.2 TLSv1.3;

  3. Restart OPSWAT Central Management for the change to take effect.

Please note that the Java 8 installation used with OPSWAT Central Management must also support TLSv1.3.

The Oracle implementation of Java 8 provides support for TLSv1.3 on update 261 or higher.

The AdoptOpenJDK implementation of Java 8 provides support for TLSv1.3 on update 272 or higher.