Enhancing EMF On-Prem Security & UX with Trusted Certificates (Let’s Encrypt + CertBot Flow) #808
biapalmeiro
started this conversation in
Show and tell
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
I recently came across a write-up by Russel Callen on the Edge Manageability Framework about an improvement in the on-prem user experience by using trusted certificates instead of default self-signed ones. (Medium) I thought this would be a valuable topic to surface here because this touches on security, usability, and deployment best practices—all very relevant for edge AI infrastructure.
What’s the Problem?
By default, EMF supports self-signed certificates for its API/UI when deployed on-prem.
Self-signed certs require users/devices (browsers, tools) to manually trust the certificate presented by the orchestrator. That can be tedious, brittle, or confusing in enterprise/secure environments.
Some environments (particularly internal LANs) may use private IPs or have strict security policies that make trusting self-signed or ad hoc certs difficult.
What’s the Proposed Solution?
The article describes a process (available in EMF v3.1) to use trusted certificates via Let’s Encrypt (or another CA) in on-prem installations. Key steps:
Use a publicly resolvable domain name and configure DNS accordingly.
Install CertBot and relevant DNS plugin to obtain the CA-issued certificate.
Generate a Kubernetes TLS secret (using the certificate & private key) and apply it into the EMF orchestrator component (e.g.
orch-gateway).After this, the UI and API sessions are presented under this trusted certificate, so browsers and tools won’t ask users to accept untrusted/self-signed certs.
Benefits for Edge AI Infrastructure Developers
Smoother onboarding for teams and devices: fewer manual cert trust import steps.
Improved security posture: use of CA-signed certs reduces risk of MitM or misconfigured trust.
Better UX for dashboards / tools / GUI interactions inside corporate networks.
Aligns with enterprise compliance requirements for TLS usage.
Open Questions / Feedback
Has anyone already switched their EMF on-prem setup to use Let’s Encrypt certs? What gotchas did you hit?
For networks without public reachable domains, how might one set up a private CA or use internal PKI?
How often should the automatic renewal be done, and how should zero-downtime reloads of certs be handled in EMF?
Would it be helpful if EMF provided a built-in “trusted-cert wizard” or script that automates this flow (DNS plugin, CertBot + secret generation + orchestrator update)?
Looking forward to hearing what the community thinks on integrating trusted certificate workflows as a standard EMF deployment pattern.
Beta Was this translation helpful? Give feedback.
All reactions