Access
sslbrain connects to endpoints using several methods depending on the platform. This page covers configuration of each connection type and credential management.
| Method | Direction | Platform |
|---|---|---|
| SSH | Push | Linux, appliances (FortiGate, ESXi, pfSense) |
| WinRM | Push | Windows (alternative to Service Agent) |
| Windows Service | Pull | Windows (recommended) |
| API | Push | Cloud platforms, NetScaler, vCenter |
SSH
The standard method for Linux servers and appliances that support SSH. sslbrain connects directly and runs the agent on the endpoint.
Login
Create a credential in sslbrain with a username and password or SSH key. The user must have permissions to write certificate files and restart services.
Recommended: create a dedicated service user (e.g. sslbrain-svc) with only the required permissions. Never use a personal admin account.
sudo useradd -r -m -s /bin/bash sslbrain-svcGrant access to web server configuration and certificate files:
# Read Nginx/Apache configuration
sudo usermod -aG www-data sslbrain-svc
# Reload web server (add to sudoers)
echo "sslbrain-svc ALL=(root) NOPASSWD: /usr/sbin/nginx -s reload, /usr/sbin/apachectl graceful" \
| sudo tee /etc/sudoers.d/sslbrain-svc| Requirement | Description |
|---|---|
| Read configuration | Access to read web server configuration files (/etc/nginx/, /etc/apache2/ or /etc/httpd/) |
| Write certificates | Access to write certificate files and reload the web server |
| Sudo (optional) | sudo privileges are recommended but not required if file permissions allow it |
Key Pairs
sslbrain supports Ed25519 and RSA keys. Ed25519 is recommended for new setups.
Generate a key pair:
ssh-keygen -t ed25519 -C "sslbrain-svc" -f ~/.ssh/sslbrain_ed25519Upload the private key as a credential in sslbrain. It is encrypted in the vault.
Add the public key to ~/.ssh/authorized_keys on the endpoint:
cat ~/.ssh/sslbrain_ed25519.pub >> /home/sslbrain-svc/.ssh/authorized_keys
chmod 600 /home/sslbrain-svc/.ssh/authorized_keysTip: Use SSH keys instead of passwords. Keys are more secure and avoid issues with expired passwords.
WinRM
An alternative to Windows Service for servers where you prefer push. Can also be used for the initial installation of Windows Service.
Enable
WinRM must be enabled on the Windows server. Run as administrator:
Enable-PSRemoting -Force
Set-Item WSMan:\localhost\Service\Auth\Basic -Value $true
Set-Item WSMan:\localhost\Service\AllowUnencrypted -Value $falseConfiguration
sslbrain connects via HTTPS (port 5986) by default. Verify that the WinRM listener uses a valid certificate:
winrm enumerate winrm/config/listenerCreate a credential in sslbrain with a Windows user that has administrator privileges. Use a domain user or local administrator.
Port 5985
WinRM over HTTP (encrypted via NTLM/Kerberos)
Port 5986 (recommended)
WinRM over HTTPS (requires a certificate on the WinRM endpoint)
Firewall
Allow inbound traffic on port 5986 (HTTPS) from the sslbrain server's IP address. Port 5985 (HTTP) should not be used in production.
New-NetFirewallRule -Name "sslbrain-WinRM" `
-DisplayName "sslbrain WinRM HTTPS" `
-Direction Inbound -Protocol TCP -LocalPort 5986 `
-RemoteAddress 10.0.0.50 `
-Action AllowReplace 10.0.0.50 with the actual IP address of your sslbrain server.
Windows Service (pull)
The recommended method for Windows. A lightweight Windows service that pulls signed task packages from sslbrain via outbound HTTPS. No inbound ports, no WinRM and no firewall changes required.
Installation
Download the MSI package from sslbrain under Downloads. Install manually or via GPO, SCCM or Intune.
During installation, provide:
- The sslbrain server address (HTTPS)
- A registration key from sslbrain
The service registers itself with sslbrain after installation. The endpoint appears in sslbrain within a minute.
Registry
The service is configured via the registry under HKLM\SOFTWARE\sslbrain\Service:
| Key | Description |
|---|---|
| ServerUrl | The sslbrain server's HTTPS address |
| PollInterval | Interval between polls in seconds (default: 60) |
| LogLevel | Log level: Info, Warning, Error |
GPO Deployment
The MSI package can be deployed via Group Policy as a Computer-assigned software installation. Set the registration key via GPO Registry Preferences.
Hive: HKEY_LOCAL_MACHINE
Path: SOFTWARE\sslbrain\Service
Name: ServerUrl
Type: REG_SZ
Data: https://sslbrain.example.com:8443The advantage of GPO deployment is that all Windows servers in an OU automatically get the service installed without manual intervention.
API
For cloud platforms and appliances that expose a REST API. sslbrain calls the API directly from its own host.
Tokens
Most APIs require an access token or API key. Create a credential in sslbrain with the token value. It is encrypted in the vault.
Headers
Some APIs require custom headers for authentication. These are configured per credential in sslbrain:
| Example | Platform |
|---|---|
| Authorization: Bearer <token> | NetScaler, vCenter, Synology |
| X-NITRO-USER / X-NITRO-PASS | Citrix NetScaler |
Credentials
Credentials are stored encrypted in sslbrain's vault and can be reused across endpoints.
Types
| Type | Used for | Fields |
|---|---|---|
| SSH password | Linux servers | Username + password |
| SSH key | Linux servers | Username + private key (+ passphrase if applicable) |
| Domain user | Windows WinRM | Domain\username + password |
| Local user | Windows WinRM | Username + password |
| API token | Cloud platforms, network devices | Token or username + password |
Create a credential
- Go to Settings > Credentials
- Click New credential
- Select the type, enter a descriptive name (e.g. "Linux service account" or "FortiGate admin") and fill in the fields
- Click Save
Tip: You can also create credentials directly when adding an endpoint. Click New credential in the credential dropdown.
Vault encryption
- All credentials are encrypted with AES-256 in sslbrain's vault
- Private SSH keys are never stored in plaintext
- Credentials can only be used by sslbrain. They cannot be retrieved via the UI or API
- Delete a credential under Settings > Credentials if it is no longer in use
Note: Create dedicated service accounts for sslbrain rather than using personal admin accounts. Grant only the permissions that sslbrain needs.