How to set up SSL in Vault

Vault 6.1, any platform
How do I enable SSL in Vault?

Enabling SSL for Vault servers
SSL can be enabled for the Vault servers by modifying their respective configuration files.
Assuming that you already have the SSL private key (e.g. e2vault-server.key) and the
corresponding SSL certificate (e.g. e2vault-server.crt), enable SSL for the Vault servers as
NOTE: The insertion of chevron markers ( >>>>) denote the newly added lines for SSL.
1. Vault server: modify the server\e2serverd.ini file.
>>>> ssl=1
>>>> sslcertificate=e2vault-server.crt
>>>> sslprivatekey=e2vault-server.key
>>>> ssl=1
2. Loader server: modify the server\e2loaderd.ini file.
>>>> ssl=1
>>>> sslcertificate=e2vault-server.crt
>>>> sslprivatekey=e2vault-server.key
3. Rendering engine: modify the render\e2renderd.ini file.
>>>> ssl=1
>>>> sslcertificate=e2vault-server.crt
>>>> sslprivatekey=e2vault-server.key
>>>> ssl=1
4. Vault Router server: modify the router\e2routerd.ini file.
# Number of rendering engines to use
# Hostname and port that e2routerd listens on for incoming connections
>>>> ssl=1
>>>> sslcertificate=/opt/e2vault-server.crt
>>>> sslprivatekey=/opt/e2vault-server.key
# First of two rendering engines to use
>>>> ssl=1
# Second of two rendering engines to use
>>>> ssl=1
With the above changes made, once the Vault servers are restarted, SSL will be enabled and
used for all network communications between the servers and for communications to/from the
server by other systems/entities (Perl web client, Java Service web client, and etc., along with
the API sets, such as .NET API and Java API)).
Using uclient.exe and loader.exe
When enabling SSL, if you wish to use the ‘uclient.exe’ and the ‘loader.exe’ you need to add 2
lines to the client.ini.
>>>> ssl=1
>>>> ssl=1
Generating an SSL certificate for use with Vault
1. Use the openssl executable/binary located in the server\tools folder of your Vault install
for generating the SSL key and certificate for Vault.
2. Set the OPENSSL_CONF environment variable to the full path/location of the openssl.cnf
configuration file which is also located in the server\tools folder of your Vault install:
UNIX example
export OPENSSL_CONF=/opt/PBBI CCM/Vault/server/tools/openssl.cnf
Microsoft Windows example
set OPENSSL_CONF=C:\Program Files\PBBI CCM\Vault\server\tools\openssl.cnf
3. Generate a new SSL key-certificate pair to use with Vault as follows:
i. Change directory into the folder containing the openssl executable/binary (see
ii. Generate an RSA Private Key (example below creates a 4096-bit key):
openssl genrsa -out e2vault-server.key 4096
iii. Generate a CSR (Certificate Signing Request)
openssl req -new -key e2vault-server.key -out e2vault-server.csr
iv. Generate a Self-Signed SSL Certificate
openssl x509 -req -days 365 -in e2vault-server.csr -signed e2vault-server.key -out
You can change the validity of the generated SSL certificate as desired; the above example
makes the certificate valid for 1 year.
Once the steps above have been completed successfully, you will have the following files:
• e2vault-server.crt(Self-signed SSL certificate for the Vault server)
• e2vault-server.csr(Certificate Signing Request that was used to create the self-signed
certificate above)
• e2vault-server.key(RSA Private Key that was used to self-sign the SSL certificate
4. Copy the e2vault-server.crt and e2vault-server.key files into the directory containing the
e2serverd and e2loaderd executables (e.g. \some\path\server\), as well as the directory
containing the e2renderd executable (e.g. \some\path\render\).
UPDATED:  August 23, 2017