docs/doc/source/security/kubernetes/install-update-the-starlingx-rest-and-web-server-certificate.rst


.. law1570030645265
.. _install-update-the-starlingx-rest-and-web-server-certificate:

============================================================
Install/Update the StarlingX Rest and Web Server Certificate
============================================================

Use the following procedure to install or update the certificate for the |prod|
REST API application endpoints (Keystone, Barbican and |prod|) and the
|prod| web administration server.

.. rubric:: |prereq|

Obtain an intermediate or Root |CA|-signed server certificate and key from a
trusted Intermediate or Root |CA|. Refer to the documentation for the external
Intermediate or Root |CA| that you are using, on how to create public
certificate and private key pairs, signed by intermediate or a Root |CA|, for
HTTPS.

For lab purposes, see :ref:`Create Certificates Locally using openssl
<create-certificates-locally-using-openssl>` for how to create a test
Intermediate or Root |CA| certificate and key, and use it to sign test
server certificates.

Put the |PEM| encoded versions of the server certificate and key in a single
file, and copy the file to the controller host.

.. note::

    If you plan to use the container-based remote CLIs, due to a limitation in
    the Python2 SSL certificate validation, the certificate used for the |prod|
    REST API application endpoints and |prod| Web Administration Server ('ssl')
    certificate must either have:

    #.  CN=IPADDRESS and SANs=IPADDRESS

        or

    #.  CN=FQDN and SANs=FQDN

        where IPADDRESS and FQDN are for the OAM Floating IP Address.


.. rubric:: |proc|

-   Install/update the copied certificate.

    For example:

    .. code-block:: none

        ~(keystone_admin)]$ system certificate-install -m ssl <pathTocertificateAndKey>

    where:

    **<pathTocertificateAndKey>**

    is the path to the file containing both the intermediate or Root
    |CA|-signed server certificate and private key to install.

.. warning::

    The REST and Web Server certificate are not automatically renewed, user
    MUST renew the certificate prior to expiry, otherwise a variety of system
    operations will fail.

.. note::
    
    Ensure the certificates have RSA key length >= 2048 bits. The
    |prod-long| Release |this-ver| provides a new version of ``openssl`` which
    requires a minimum of 2048-bit keys for RSA for better security / encryption
    strength.
    
    You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
    and looking for the "Public-Key" in the output. For more information see
    :ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`.. law1570030645265`
			`.. _install-update-the-starlingx-rest-and-web-server-certificate:`

Editorial updates on Security Guide upstream Acted on Greg's comments Patch 1: Deleted duplicated docs and corrected references to fix build failure Patch 2: Acted on Greg's and Ron's comments. Patch 3: Acted on Greg's comment. Patch 4: Acted on Mary's comments. Patch 5: Solved merge conflict. Patch 6: Worked on Mary's comments. Patch 7: Fixed build conflict. Patch 8: Worked on Mary's comments. https://review.opendev.org/c/starlingx/docs/+/792461 Signed-off-by: egoncalv <elisamaraaoki.goncalves@windriver.com> Change-Id: I647711ac35f45bc9c79cc490269831770e98e2f4 2021-05-20 14:11:59 -03:00			`============================================================`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00			`Install/Update the StarlingX Rest and Web Server Certificate`
Editorial updates on Security Guide upstream Acted on Greg's comments Patch 1: Deleted duplicated docs and corrected references to fix build failure Patch 2: Acted on Greg's and Ron's comments. Patch 3: Acted on Greg's comment. Patch 4: Acted on Mary's comments. Patch 5: Solved merge conflict. Patch 6: Worked on Mary's comments. Patch 7: Fixed build conflict. Patch 8: Worked on Mary's comments. https://review.opendev.org/c/starlingx/docs/+/792461 Signed-off-by: egoncalv <elisamaraaoki.goncalves@windriver.com> Change-Id: I647711ac35f45bc9c79cc490269831770e98e2f4 2021-05-20 14:11:59 -03:00			`============================================================`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
Updates on Certificate Management (pick) Removed rst substitution from tables and inline markups. Updated table and reestructured sections in the overview. Fixed issues, reworded paragraphs, changed titles. Deleted unnecessary sections, added a new item to section and fixed editorial issues. Fixed editorial and formatting issues. Fixed more editorial and formatting issues. Fixed formatting and editorial issues. Added command line. Fixed command line. Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: I69874db16c76d5aceac706f2b8033771780500ca 2021-10-21 16:20:15 -03:00			`Use the following procedure to install or update the certificate for the \|prod\|`
Remove spurious escapes (r8,dsR8) This change addresses a long-standing issue in rST documentation imported from XML. That import process added backslash escapes in front of various characters. The three most common being '(', ')', and '_'. These instances are removed. Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Id43a9337ffcd505ccbdf072d7b29afdb5d2c997e 2023-02-28 14:02:05 +00:00			`REST API application endpoints (Keystone, Barbican and \|prod\|) and the`
Updates on Certificate Management (pick) Removed rst substitution from tables and inline markups. Updated table and reestructured sections in the overview. Fixed issues, reworded paragraphs, changed titles. Deleted unnecessary sections, added a new item to section and fixed editorial issues. Fixed editorial and formatting issues. Fixed more editorial and formatting issues. Fixed formatting and editorial issues. Added command line. Fixed command line. Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: I69874db16c76d5aceac706f2b8033771780500ca 2021-10-21 16:20:15 -03:00			`\|prod\| web administration server.`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`.. rubric:: \|prereq\|`

Updates on Certificate Management (pick) Removed rst substitution from tables and inline markups. Updated table and reestructured sections in the overview. Fixed issues, reworded paragraphs, changed titles. Deleted unnecessary sections, added a new item to section and fixed editorial issues. Fixed editorial and formatting issues. Fixed more editorial and formatting issues. Fixed formatting and editorial issues. Added command line. Fixed command line. Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: I69874db16c76d5aceac706f2b8033771780500ca 2021-10-21 16:20:15 -03:00			`Obtain an intermediate or Root \|CA\|-signed server certificate and key from a`
			`trusted Intermediate or Root \|CA\|. Refer to the documentation for the external`
Update Security Fixed merge conflict (RS) Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I30b882a14196525f440db1108a56bbf862dfaf55 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-15 16:56:04 -03:00			`Intermediate or Root \|CA\| that you are using, on how to create public`
			`certificate and private key pairs, signed by intermediate or a Root \|CA\|, for`
			`HTTPS.`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
Editorial updates on Security Guide upstream Acted on Greg's comments Patch 1: Deleted duplicated docs and corrected references to fix build failure Patch 2: Acted on Greg's and Ron's comments. Patch 3: Acted on Greg's comment. Patch 4: Acted on Mary's comments. Patch 5: Solved merge conflict. Patch 6: Worked on Mary's comments. Patch 7: Fixed build conflict. Patch 8: Worked on Mary's comments. https://review.opendev.org/c/starlingx/docs/+/792461 Signed-off-by: egoncalv <elisamaraaoki.goncalves@windriver.com> Change-Id: I647711ac35f45bc9c79cc490269831770e98e2f4 2021-05-20 14:11:59 -03:00			For lab purposes, see :ref:`Create Certificates Locally using openssl
			<create-certificates-locally-using-openssl>` for how to create a test
Updates on Certificate Management (pick) Removed rst substitution from tables and inline markups. Updated table and reestructured sections in the overview. Fixed issues, reworded paragraphs, changed titles. Deleted unnecessary sections, added a new item to section and fixed editorial issues. Fixed editorial and formatting issues. Fixed more editorial and formatting issues. Fixed formatting and editorial issues. Added command line. Fixed command line. Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: I69874db16c76d5aceac706f2b8033771780500ca 2021-10-21 16:20:15 -03:00			`Intermediate or Root \|CA\| certificate and key, and use it to sign test`
			`server certificates.`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
Updates on Certificate Management (pick) Removed rst substitution from tables and inline markups. Updated table and reestructured sections in the overview. Fixed issues, reworded paragraphs, changed titles. Deleted unnecessary sections, added a new item to section and fixed editorial issues. Fixed editorial and formatting issues. Fixed more editorial and formatting issues. Fixed formatting and editorial issues. Added command line. Fixed command line. Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: I69874db16c76d5aceac706f2b8033771780500ca 2021-10-21 16:20:15 -03:00			`Put the \|PEM\| encoded versions of the server certificate and key in a single`
			`file, and copy the file to the controller host.`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
Remote CLI: Client container doesn't trust the CA. Added note. Patch 1: Worked on Ayyappa comments. Patch 2: Worked on Greg's comments. Patch 3: Worked on Mary's comments. Patch 4: Fixed typo. Signed-off-by: egoncalv <elisamaraaoki.goncalves@windriver.com> Change-Id: I27aab71790f8f21099189b8c2557627203186e9d 2021-06-03 10:23:18 -03:00			`.. note::`
Updates on Certificate Management (pick) Removed rst substitution from tables and inline markups. Updated table and reestructured sections in the overview. Fixed issues, reworded paragraphs, changed titles. Deleted unnecessary sections, added a new item to section and fixed editorial issues. Fixed editorial and formatting issues. Fixed more editorial and formatting issues. Fixed formatting and editorial issues. Added command line. Fixed command line. Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: I69874db16c76d5aceac706f2b8033771780500ca 2021-10-21 16:20:15 -03:00
			`If you plan to use the container-based remote CLIs, due to a limitation in`
			`the Python2 SSL certificate validation, the certificate used for the \|prod\|`
			`REST API application endpoints and \|prod\| Web Administration Server ('ssl')`
			`certificate must either have:`
Remote CLI: Client container doesn't trust the CA. Added note. Patch 1: Worked on Ayyappa comments. Patch 2: Worked on Greg's comments. Patch 3: Worked on Mary's comments. Patch 4: Fixed typo. Signed-off-by: egoncalv <elisamaraaoki.goncalves@windriver.com> Change-Id: I27aab71790f8f21099189b8c2557627203186e9d 2021-06-03 10:23:18 -03:00
Certificate Limitation Updated container based remote CLI note Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Ia4c2286c005226229f40ad60c3908e42ffcad17d 2021-06-10 13:28:50 -04:00			`#. CN=IPADDRESS and SANs=IPADDRESS`
Remote CLI: Client container doesn't trust the CA. Added note. Patch 1: Worked on Ayyappa comments. Patch 2: Worked on Greg's comments. Patch 3: Worked on Mary's comments. Patch 4: Fixed typo. Signed-off-by: egoncalv <elisamaraaoki.goncalves@windriver.com> Change-Id: I27aab71790f8f21099189b8c2557627203186e9d 2021-06-03 10:23:18 -03:00
			`or`

			`#. CN=FQDN and SANs=FQDN`

Updates on Certificate Management (pick) Removed rst substitution from tables and inline markups. Updated table and reestructured sections in the overview. Fixed issues, reworded paragraphs, changed titles. Deleted unnecessary sections, added a new item to section and fixed editorial issues. Fixed editorial and formatting issues. Fixed more editorial and formatting issues. Fixed formatting and editorial issues. Added command line. Fixed command line. Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: I69874db16c76d5aceac706f2b8033771780500ca 2021-10-21 16:20:15 -03:00			`where IPADDRESS and FQDN are for the OAM Floating IP Address.`
Remote CLI: Client container doesn't trust the CA. Added note. Patch 1: Worked on Ayyappa comments. Patch 2: Worked on Greg's comments. Patch 3: Worked on Mary's comments. Patch 4: Fixed typo. Signed-off-by: egoncalv <elisamaraaoki.goncalves@windriver.com> Change-Id: I27aab71790f8f21099189b8c2557627203186e9d 2021-06-03 10:23:18 -03:00

Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00			`.. rubric:: \|proc\|`

			`- Install/update the copied certificate.`

			`For example:`

			`.. code-block:: none`

Update Security Fixed merge conflict (RS) Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I30b882a14196525f440db1108a56bbf862dfaf55 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-15 16:56:04 -03:00			`~(keystone_admin)]$ system certificate-install -m ssl <pathTocertificateAndKey>`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`where:`

			`<pathTocertificateAndKey>`

Update Security Fixed merge conflict (RS) Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I30b882a14196525f440db1108a56bbf862dfaf55 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-15 16:56:04 -03:00			`is the path to the file containing both the intermediate or Root`
Updates on Certificate Management (pick) Removed rst substitution from tables and inline markups. Updated table and reestructured sections in the overview. Fixed issues, reworded paragraphs, changed titles. Deleted unnecessary sections, added a new item to section and fixed editorial issues. Fixed editorial and formatting issues. Fixed more editorial and formatting issues. Fixed formatting and editorial issues. Added command line. Fixed command line. Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: I69874db16c76d5aceac706f2b8033771780500ca 2021-10-21 16:20:15 -03:00			`\|CA\|-signed server certificate and private key to install.`

			`.. warning::`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
Updates on Certificate Management (pick) Removed rst substitution from tables and inline markups. Updated table and reestructured sections in the overview. Fixed issues, reworded paragraphs, changed titles. Deleted unnecessary sections, added a new item to section and fixed editorial issues. Fixed editorial and formatting issues. Fixed more editorial and formatting issues. Fixed formatting and editorial issues. Added command line. Fixed command line. Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: I69874db16c76d5aceac706f2b8033771780500ca 2021-10-21 16:20:15 -03:00			`The REST and Web Server certificate are not automatically renewed, user`
			`MUST renew the certificate prior to expiry, otherwise a variety of system`
			`operations will fail.`
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
Added RSA Key length (dsr8) Modified the note to include <the certificate file> Removed trailing spaces and fixed Patchset 7 comments Updated Patchset 6 comments and removed the word platform Fixed formatting issues Updated Patchset 4 comments Added additional notes in multiple topics listed in the review Updated the Security / Upgrade Guide with a note Change-Id: If0a88e88268b2a4540b6abf97bc7b5ca9049747c Signed-off-by: Juanita Balaraj <juanita.balaraj@windriver.com> Change-Id: I5686cda10f4ac9b184f5ac1e6ceec003b09155d2 2023-06-19 20:14:20 +00:00			`.. note::`

			`Ensure the certificates have RSA key length >= 2048 bits. The`
			\|prod-long\| Release \|this-ver\| provides a new version of ``openssl`` which
			`requires a minimum of 2048-bit keys for RSA for better security / encryption`
			`strength.`

			You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
			`and looking for the "Public-Key" in the output. For more information see`
			:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.