How do I use my own TLS keys?

For security and privacy, TinyPilot encrypts its communications with your web browser. On its first boot, TinyPilot generates TLS keys that are unique to your device and uses those keys to secure your connection. If you prefer to supply your own TLS keys, you can replace the device-generated keys with your own.

Pre-requisites

• A TLS key and certificate in PEM format

Copy your TLS key and certificate to your TinyPilot

First, transfer your TLS key and certificate to your TinyPilot device. You can do this using the file transfer feature in your SSH client or by running the following commands on a Linux system:

# Replace the filenames with the path of your files on your local machine.
TLS_CERTIFICATE_FILE="your-certificate.crt"
TLS_PRIVATE_KEY_FILE="your-private-key.key"

scp "${TLS_CERTIFICATE_FILE}" pilot@tinypilot:/tmp/tinypilot-nginx.crt
scp "${TLS_PRIVATE_KEY_FILE}" pilot@tinypilot:/tmp/tinypilot-nginx.key

Install your TLS key and certificate

Next, SSH into your TinyPilot and run the following commands:

sudo cp /tmp/tinypilot-nginx.crt /etc/ssl/certs/tinypilot-nginx.crt && \
  sudo cp /tmp/tinypilot-nginx.key /etc/ssl/private/tinypilot-nginx.key && \
  sudo sed --in-place --expression "/tinypilot_manage_tls_keys:/ d" \
    /home/tinypilot/settings.yml && \
  echo "tinypilot_manage_tls_keys: no" | sudo tee --append \
    /home/tinypilot/settings.yml && \
  sudo service nginx restart

Now, verify that you can load https://tinypilot from your machine without seeing security warnings.

Restoring TinyPilot's default TLS keys

If you'd like to revert to using TinyPilot's TLS keys, SSH into your TinyPilot and run the following commands:

sudo sed --in-place --expression "/tinypilot_manage_tls_keys:/ d" \
    /home/tinypilot/settings.yml && \
  sudo /opt/tinypilot-privileged/scripts/cycle-nginx-tls-keys && \
  sudo service nginx restart