ConfigureTool

The ConfigureTool is a command-line utility for managing HTTPS certificates and other configuration settings for Duplicati. It provides a convenient way to generate, renew, and manage SSL certificates for secure web UI access.

The ConfigureTool binary is called Duplicati.CommandLine.ConfigureTool.exe on Windows and duplicati-configure on Linux and macOS.

Overview

Duplicati can automatically generate HTTPS certificates for secure web UI access. Since Duplicati uses localhost serving by default, there is no external Certificate Authority (CA) to request certificates from. Instead, Duplicati generates its own local CA and uses it to sign server certificates. This approach allows automatic certificate renewal without requiring manual intervention every 90 days.

HTTPS Command

The https subcommand manages HTTPS certificates. It supports the following operations:

Generating Certificates

To generate a new CA and server certificate:

duplicati-configure https generate

This command will:

1. Generate a new local Certificate Authority (CA)

2. Create a server certificate signed by the CA

3. Install the CA certificate in the system trust store

4. Store the certificates in the Duplicati database

Options

Examples

Generate certificates without installing to system trust store (useful for Flatpak/Snap browsers):

Generate certificates with specific hostnames:

Renewing Certificates

Server certificates are valid for 90 days and will be renewed automatically. To manually renew the server certificate using the existing CA:

Options

Regenerating the CA

If you suspect your CA has been compromised or want to start fresh, regenerate the CA and server certificate:

This will:

1. Remove the old CA from the trust store

2. Generate a new CA and server certificate

3. Install the new CA in the trust store

4. Store the new certificates in the database

Options

Removing Certificates

To remove the CA from the trust store and delete all certificate data from the database:

This is useful when:

• You no longer need HTTPS

• You suspect the CA has been compromised

• You want to clean up before uninstalling Duplicati

Options

Displaying Certificate Status

To view the current certificate status:

This displays:

• CA certificate details (subject, issuer, validity dates, trust store status)

• Server certificate details (subject, issuer, validity dates, DNS names, IP addresses)

• Database encryption status

• Certificate expiration status

Options

Exporting Certificates

Export CA Certificate

To export the CA certificate (public key only) for manual import into browsers:

This creates duplicati-ca.crt in the current directory. To specify a custom path:

Export Server Certificate

To export the server certificate (public key only):

This creates duplicati-server.crt in the current directory. To specify a custom path:

Browser Trust Configuration

Chrome and Firefox on Linux

Chrome and Firefox on Linux maintain their own certificate stores and may not automatically trust the system CA. This is especially true for sandboxed installations (Snap, Flatpak).

Importing to Firefox

1. Export the CA certificate: duplicati-configure https export-ca

2. Open Firefox and go to Settings → Privacy & Security

3. Scroll to Certificates and click View Certificates

4. Select the Authorities tab

5. Click Import and select the exported duplicati-ca.crt file

6. Check "Trust this CA to identify websites" and click OK

Importing to Chrome

1. Export the CA certificate: duplicati-configure https export-ca

2. Open Chrome and go to Settings → Privacy and security → Security

3. Click Manage certificates

4. Select the Authorities tab

5. Click Import and select the exported duplicati-ca.crt file

6. Check "Trust this certificate for identifying websites" and click OK

Security Model

Local-Only CA

• The CA is generated locally on your machine and is not shared with any external service

• The CA certificate is installed only in your system's local trust store

• Other machines do not trust this CA unless explicitly configured to do so

• The CA should never be exported or shared with other systems

CA Constraints

The CA certificate has pathLenConstraint=0 in its Basic Constraints extension, which means:

• The CA can sign end-entity (server) certificates

• The CA cannot sign subordinate/intermediate CA certificates

• This limits the scope of trust to only certificates directly signed by this CA

Certificate Validity Periods

• CA Certificate: Valid for approximately 10 years

• Server Certificate: Valid for 90 days (browser requirement)

• Auto-renewal: Server certificates are automatically renewed 30 days before expiration

CA Key Storage Security

The CA private key is protected with multiple layers:

1. Encryption: AES-256 encryption is applied to the key

2. Password Separation: The encryption password is stored separately from the encrypted key

3. Database Encryption: If database field encryption is enabled, an additional encryption layer is applied

Database Encryption Recommendation

For maximum security, enable database field encryption, default enabled since Canary 2.2.0.105.

If database encryption is not enabled, a warning notification is emitted on startup, explaining that the CA private key is readable from the database.

Revocation and Compromise Response

If you suspect your CA private key has been compromised:

1. Immediate Action: Remove the certificates using duplicati-configure https remove

2. Regenerate: Create a new CA with duplicati-configure https regenerate-ca

3. Review: Check recent server logs and backup history for unauthorized access

4. Monitor: Set up alerts for unexpected certificate changes

Using Custom Certificates

If you prefer providing your own certificate instead of using the auto-generated CA, you can do so by setting the server-ssl-certificate and server-ssl-certificatepassword settings. When using custom certificates:

• Auto-renewal will not be activated

• No CA will be generated

• You are responsible for certificate renewal

See the Server documentation for details on configuring custom SSL certificates.

Exit Codes

The ConfigureTool returns the following exit codes:

Error messages are printed to the console with details about what went wrong.