Using the PKI to generate certificates is NOT supported for production systems, as documented here:
https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cls...
I can't stress that enough. It is provided for convenience for testing purposes. For production systems or test systems that require proper security, please use certificates/keys specified from the source determined by your security admins, and make sure the procedures they specify for safeguarding the keys are in place and adhered to.
This is sort of the minimum for just enabling SSL/TLS on apache. Please see apache documentation for further configuration options, including but not limited to selecting ciphersuites and configuring client verification:
https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html
Also, please recall that private web server is provided for convenience and that for production purposes you should install a CSP/Web Gateway into a full web server. Per this documentation, quote:
When installing InterSystems IRIS, this private version of Apache is installed to ensure that:
- The Management Portal runs out of the box.
- An out-of-the-box testing capability is provided for development environments.
The PWS is not supported for any other purpose.
For deployments of http-based applications, including REST, CSP, Zen, and SOAP over http or https, you should not use the private web server for any application other than the Management Portal; instead, you must install and deploy one of the supported web servers. For information, see the section “Supported Web Servers” in the online InterSystems Supported Platforms document for this release.
end quote.
https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cls...
New documentation link to creating SSL/TLS configurations, including using %OSCertificateStore:
https://docs.intersystems.com/irislatest/csp/docbook/DocBook.UI.Page.cls...