Skip to main content

TLS Setup

By default, Supra connections between client devices and the Supra Server are unencrypted. For Android and Emulator clients, you can enable TLS (WSS) for encrypted communication.

When Is TLS Needed?

PlatformTLS Required?Notes
Android 7+RecommendedWebSocket connection benefits from TLS encryption.

Enabling TLS

This is a temporary mechanism. A dedicated UI setting for TLS configuration is planned for a future release. :::

To enable TLS for a Supra Location:

  1. Navigate to the Location settings in Box.
  2. Add the string [SUPRA_SECURE] anywhere in the Location's description field.
  3. Save the Location.

All Android and Emulator clients in the Location will now connect to the Supra Server using WSS (WebSocket Secure) instead of WS.

Certificate Management

TLS certificates must be uploaded to the Supra Server manually:

  1. Connect to the Supra Server via SSH.
  2. Upload the certificate and private key to a path readable by the main user (UID 1000, e.g. ubuntu). The private key file must have permission 600.
  3. Add the following configuration to ~/.supra/server/config.yaml (where ~ is the home directory of the UID 1000 user, e.g. /home/ubuntu):
tlscert: /home/ubuntu/.supra/server/certs/cert.pem
tlsprivatekey: /home/ubuntu/.supra/server/certs/privateKey.pem

The certificate file should be in PEM format. If a full chain is needed, include all certificates in the same file:

-----BEGIN CERTIFICATE-----
(server certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(intermediate/root certificate)
-----END CERTIFICATE-----

The private key file should also be in PEM format:

-----BEGIN RSA PRIVATE KEY-----
(private key)
-----END RSA PRIVATE KEY-----
There is currently no automated certificate provisioning. Certificates must be managed manually via SSH. :::

Limitations

  • The [SUPRA_SECURE] flag in the Location description is a temporary workaround and will be replaced by a proper UI toggle in a future release.
  • Tizen devices do not use TLS and are unaffected by the [SUPRA_SECURE] flag.
  • Certificates must be uploaded to the Supra Server manually — there is no automated provisioning.
  • Certificate renewal currently requires manual intervention or custom scripts.