docs/doc/source/security/openstack/install-rest-api-and-horizon-certificate.rst


.. pmb1590001656644
.. _install-rest-api-and-horizon-certificate:

========================================
Install REST API and Horizon Certificate
========================================

.. rubric:: |context|

This certificate must be valid for the domain configured for OpenStack, see the
sections on :ref:`Accessing the System <access-using-the-default-set-up>`.

.. rubric:: |prereq|

Obtain an Intermediate or Root CA-signed certificate and key from a trusted
Intermediate or Root CA. The OpenStack certificate should be created with a
wildcard SAN, for example:

.. code-block:: none

    X509v3 extensions:
    X509v3 Subject Alternative Name:
    DNS:*.west2.us.example.com


.. rubric:: |proc|

#.  Put the |PEM| encoded versions of the OpenStack certificate and key in a
    single file (e.g. **openstack-cert-key.pem**), and put the certificate of
    the Root CA in a separate file (e.g. **openstack-ca-cert.pem**), and copy
    the files to the controller host.

#.  Install the certificate as the OpenStack REST API / Horizon Certificate.

    .. code-block:: none

        ~(keystone_admin)]$ system certificate-install -m ssl_ca openstack-ca-cert.pem
        ~(keystone_admin)]$ system certificate-install -m openstack_ca openstack-ca-cert.pem
        ~(keystone_admin)$ system certificate-install -m openstack openstack-cert-key.pem

#.  Apply the Helm chart overrides containing the certificate changes.

    .. parsed-literal::

        ~(keystone_admin)$ system application-apply |prefix|-openstack
Upstreaming WRO Removed duplicate abbrev definitions Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I7910d9f54e158250004abd7e17a4e119f8064252 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-18 08:11:53 -03:00
			`.. pmb1590001656644`
			`.. _install-rest-api-and-horizon-certificate:`

			`========================================`
			`Install REST API and Horizon Certificate`
			`========================================`

			`.. rubric:: \|context\|`

			`This certificate must be valid for the domain configured for OpenStack, see the`
			sections on :ref:`Accessing the System <access-using-the-default-set-up>`.

Install conditionalizations OVS related deployment conditionalizations. Patchset 1 review updates. Updates based on additional inputs. Patchset 3 review updates. Fixed some unexpanded substitutions and formatting issues throughout. Patchset 5 updates. Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Ib86bf0e13236a40f7a472d4448a9b2d3cc165deb Signed-off-by: Ron Stone <ronald.stone@windriver.com> Reorg OpenStack installion for DS consumption This review replaces https://review.opendev.org/c/starlingx/docs/+/801130 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Iab9c8d56cff9c1bc57e7e09fb3ceef7cf626edad Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-07-16 15:37:55 -04:00			`.. rubric:: \|prereq\|`

Certificate Update Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com> Change-Id: I6345e6be7e31e12d2f81bb6d35788896ddddcbf9 2021-07-29 19:23:57 -04:00			`Obtain an Intermediate or Root CA-signed certificate and key from a trusted`
			`Intermediate or Root CA. The OpenStack certificate should be created with a`
			`wildcard SAN, for example:`
Install conditionalizations OVS related deployment conditionalizations. Patchset 1 review updates. Updates based on additional inputs. Patchset 3 review updates. Fixed some unexpanded substitutions and formatting issues throughout. Patchset 5 updates. Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Ib86bf0e13236a40f7a472d4448a9b2d3cc165deb Signed-off-by: Ron Stone <ronald.stone@windriver.com> Reorg OpenStack installion for DS consumption This review replaces https://review.opendev.org/c/starlingx/docs/+/801130 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Iab9c8d56cff9c1bc57e7e09fb3ceef7cf626edad Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-07-16 15:37:55 -04:00
Certificate Update Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com> Change-Id: I6345e6be7e31e12d2f81bb6d35788896ddddcbf9 2021-07-29 19:23:57 -04:00			`.. code-block:: none`
Upstreaming WRO Removed duplicate abbrev definitions Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I7910d9f54e158250004abd7e17a4e119f8064252 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-18 08:11:53 -03:00
Certificate Update Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com> Change-Id: I6345e6be7e31e12d2f81bb6d35788896ddddcbf9 2021-07-29 19:23:57 -04:00			`X509v3 extensions:`
			`X509v3 Subject Alternative Name:`
			`DNS:*.west2.us.example.com`
Upstreaming WRO Removed duplicate abbrev definitions Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I7910d9f54e158250004abd7e17a4e119f8064252 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-18 08:11:53 -03:00

Certificate Update Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com> Change-Id: I6345e6be7e31e12d2f81bb6d35788896ddddcbf9 2021-07-29 19:23:57 -04:00			`.. rubric:: \|proc\|`
Upstreaming WRO Removed duplicate abbrev definitions Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I7910d9f54e158250004abd7e17a4e119f8064252 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-18 08:11:53 -03:00
Certificate Update Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com> Change-Id: I6345e6be7e31e12d2f81bb6d35788896ddddcbf9 2021-07-29 19:23:57 -04:00			`#. Put the \|PEM\| encoded versions of the OpenStack certificate and key in a`
			`single file (e.g. openstack-cert-key.pem), and put the certificate of`
			`the Root CA in a separate file (e.g. openstack-ca-cert.pem), and copy`
			`the files to the controller host.`
Upstreaming WRO Removed duplicate abbrev definitions Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I7910d9f54e158250004abd7e17a4e119f8064252 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-18 08:11:53 -03:00
Certificate Update Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com> Change-Id: I6345e6be7e31e12d2f81bb6d35788896ddddcbf9 2021-07-29 19:23:57 -04:00			`#. Install the certificate as the OpenStack REST API / Horizon Certificate.`
Upstreaming WRO Removed duplicate abbrev definitions Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I7910d9f54e158250004abd7e17a4e119f8064252 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-18 08:11:53 -03:00
Certificate Update Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com> Change-Id: I6345e6be7e31e12d2f81bb6d35788896ddddcbf9 2021-07-29 19:23:57 -04:00			`.. code-block:: none`
Upstreaming WRO Removed duplicate abbrev definitions Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I7910d9f54e158250004abd7e17a4e119f8064252 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-18 08:11:53 -03:00
Certificate Update Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com> Change-Id: I6345e6be7e31e12d2f81bb6d35788896ddddcbf9 2021-07-29 19:23:57 -04:00			`~(keystone_admin)]$ system certificate-install -m ssl_ca openstack-ca-cert.pem`
			`~(keystone_admin)]$ system certificate-install -m openstack_ca openstack-ca-cert.pem`
			`~(keystone_admin)$ system certificate-install -m openstack openstack-cert-key.pem`
Upstreaming WRO Removed duplicate abbrev definitions Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I7910d9f54e158250004abd7e17a4e119f8064252 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-18 08:11:53 -03:00
			`#. Apply the Helm chart overrides containing the certificate changes.`

Remove mention to wr-openstack Change “wr-openstack” instances to “\|prefix\|-openstack”. PS2: Use \|prefix\| substitution instead of "stx" PS3, 4, 5, 6, 7: Fix table alignment PS8: Replace table with text for \|prefix\| usage Closes-Bug: 1948045 Change-Id: I41f804dd83d480e99a9c8ebfc252def3de0215ea Signed-off-by: MCamp859 <maryx.camp@intel.com> 2021-10-26 11:25:46 -04:00			`.. parsed-literal::`
Upstreaming WRO Removed duplicate abbrev definitions Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I7910d9f54e158250004abd7e17a4e119f8064252 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-18 08:11:53 -03:00
Remove mention to wr-openstack Change “wr-openstack” instances to “\|prefix\|-openstack”. PS2: Use \|prefix\| substitution instead of "stx" PS3, 4, 5, 6, 7: Fix table alignment PS8: Replace table with text for \|prefix\| usage Closes-Bug: 1948045 Change-Id: I41f804dd83d480e99a9c8ebfc252def3de0215ea Signed-off-by: MCamp859 <maryx.camp@intel.com> 2021-10-26 11:25:46 -04:00			`~(keystone_admin)$ system application-apply \|prefix\|-openstack`
Upstreaming WRO Removed duplicate abbrev definitions Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com> Change-Id: I7910d9f54e158250004abd7e17a4e119f8064252 Signed-off-by: Ron Stone <ronald.stone@windriver.com> 2021-03-18 08:11:53 -03:00