2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
|
|
.. qfk1564403051860
|
|
|
|
|
|
.. _add-a-trusted-ca:
|
|
|
|
|
|
|
2021-05-20 14:11:59 -03:00
|
|
|
|
==============================
|
2021-10-21 16:20:15 -03:00
|
|
|
|
System Trusted CA Certificates
|
2021-05-20 14:11:59 -03:00
|
|
|
|
==============================
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
2021-10-21 16:20:15 -03:00
|
|
|
|
|prod| also supports the ability to update the trusted |CA| certificate
|
|
|
|
|
|
bundle on all nodes in the system. This is required, for example, when
|
|
|
|
|
|
container images are being pulled from an external Docker registry with a
|
|
|
|
|
|
certificate signed by a non-well-known |CA|.
|
|
|
|
|
|
|
2020-08-31 11:01:56 -04:00
|
|
|
|
Generally a trusted |CA| certificate needs to be added if |prod| clients on
|
|
|
|
|
|
the hosts will be connecting to server\(s\) secured with SSL and whose
|
|
|
|
|
|
certificate is signed by an unknown |CA|.
|
|
|
|
|
|
|
|
|
|
|
|
.. contents::
|
|
|
|
|
|
:local:
|
|
|
|
|
|
:depth: 1
|
|
|
|
|
|
|
2021-10-21 16:20:15 -03:00
|
|
|
|
For example, a trusted |CA| certificate is required if your Helm charts or
|
|
|
|
|
|
yaml manifest files refer to images stored in a Docker registry whose
|
2020-08-31 11:01:56 -04:00
|
|
|
|
certificate has been signed by an unknown Certificate Authority.
|
|
|
|
|
|
|
|
|
|
|
|
Trusted |CA| certificates can be added as part of the Ansible Bootstrap
|
|
|
|
|
|
Playbook or by using the StarlingX/system REST API or CLI after installation.
|
|
|
|
|
|
|
2021-10-21 16:20:15 -03:00
|
|
|
|
-----------------------------------------
|
|
|
|
|
|
Install/Uninstall Trusted CA certificates
|
|
|
|
|
|
-----------------------------------------
|
|
|
|
|
|
|
|
|
|
|
|
Trusted |CA| certificates can be added as part of the Ansible Bootstrap
|
|
|
|
|
|
Playbook or by using the StarlingX/system REST API or CLI after installation.
|
|
|
|
|
|
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
|
|
.. _add-a-trusted-ca-section-N1002C-N1001C-N10001:
|
|
|
|
|
|
|
|
|
|
|
|
--------------------------
|
|
|
|
|
|
Ansible Bootstrap Playbook
|
|
|
|
|
|
--------------------------
|
|
|
|
|
|
|
|
|
|
|
|
A trusted |CA| certificate may need to be specified as an override parameter
|
2021-10-21 16:20:15 -03:00
|
|
|
|
for the Ansible Bootstrap Playbook. Specifically, if the Docker registries,
|
2020-08-31 11:01:56 -04:00
|
|
|
|
specified by the bootstrap overrides file, use a certificate signed by an
|
|
|
|
|
|
unknown |CA|. If this is the case then the ssl\_ca\_cert parameter needs to
|
|
|
|
|
|
be specified in the ansible overrides file, /home/sysadmin/localhost.yml, as
|
|
|
|
|
|
part of bootstrap in the installation procedure.
|
|
|
|
|
|
|
|
|
|
|
|
For example:
|
|
|
|
|
|
|
|
|
|
|
|
.. code-block:: none
|
|
|
|
|
|
|
2021-03-15 16:56:04 -03:00
|
|
|
|
ssl_ca_cert: /path/to/ssl_ca_cert_file
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
|
|
The *ssl\_ca\_cert* value is the absolute path of the file containing the
|
|
|
|
|
|
|CA| certificate\(s\) to trust. The certificate\(s\) must be in |PEM| format
|
|
|
|
|
|
and the file may contain one or more |CA| certificates.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
.. _add-a-trusted-ca-section-N10047-N1001C-N10001:
|
|
|
|
|
|
|
2021-10-21 16:20:15 -03:00
|
|
|
|
-------------------------------------------
|
|
|
|
|
|
System CLI – Trusted CA certificate install
|
|
|
|
|
|
-------------------------------------------
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
|
|
After installation, adding a trusted |CA| to the |prod| system may be required.
|
2021-10-21 16:20:15 -03:00
|
|
|
|
This is the case if images stored in a Docker registry, whose certificate has
|
|
|
|
|
|
been signed by a not-well-known Certificate Authority, are referred to by Helm
|
2020-08-31 11:01:56 -04:00
|
|
|
|
charts and/or yaml manifest files.
|
|
|
|
|
|
|
2021-10-12 09:11:08 -04:00
|
|
|
|
Multiple trusted |CA| certificates can be added with single install command by
|
|
|
|
|
|
including multiple |CA| certificates in the specified |PEM| file.
|
|
|
|
|
|
|
2020-08-31 11:01:56 -04:00
|
|
|
|
The certificate must be in |PEM| file format.
|
2021-10-12 09:11:08 -04:00
|
|
|
|
|
2020-08-31 11:01:56 -04:00
|
|
|
|
From the command line, run the :command:`certificate-install` command.
|
|
|
|
|
|
|
|
|
|
|
|
.. code-block:: none
|
|
|
|
|
|
|
2021-03-15 16:56:04 -03:00
|
|
|
|
~(keystone_admin)]$ system certificate-install -m ssl_ca <trusted-ca-bundle-pem-file>
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
2021-10-12 09:11:08 -04:00
|
|
|
|
where ``<trusted-ca-bundle-pem-file>`` contains 1 or more public certificates
|
2021-10-21 16:20:15 -03:00
|
|
|
|
of |CAs| that should be trusted by |prod|.
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
|
|
|
2021-10-12 09:11:08 -04:00
|
|
|
|
The system will print a list of the certificates that were successfully
|
|
|
|
|
|
installed from the |PEM| file and a list of certificates that were not
|
|
|
|
|
|
installed from the |PEM| file due to a certificate error.
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
2021-10-12 09:11:08 -04:00
|
|
|
|
For example:
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
2021-10-12 09:11:08 -04:00
|
|
|
|
.. code-block:: none
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
2021-10-12 09:11:08 -04:00
|
|
|
|
~(keystone_admin)]$ system certificate-install -m ssl_ca ext-registry-ca-certificates.pem
|
|
|
|
|
|
|
|
|
|
|
|
+-------------+------------------------------------------------+
|
|
|
|
|
|
| Property | Value |
|
|
|
|
|
|
+-------------+------------------------------------------------+
|
|
|
|
|
|
| uuid | 5f677003-a08a-4725-9082-2b4ea81b33d5 |
|
|
|
|
|
|
| certtype | ssl_ca |
|
|
|
|
|
|
| signature | ssl_ca_252107869940582877573916937829152170776 |
|
|
|
|
|
|
| start_date | 2021-08-17 01:48:21+00:00 |
|
|
|
|
|
|
| expiry_date | 2021-08-17 02:48:21+00:00 |
|
|
|
|
|
|
+-------------+------------------------------------------------+
|
|
|
|
|
|
WARNING: Some certificates were not installed.
|
|
|
|
|
|
Error with cert number 2 in the file: certificate is not valid before 2021-08-13 14:00:21 nor after 2021-08-13 15:00:21
|
|
|
|
|
|
Error with cert number 3 in the file: certificate is not valid before 2021-08-13 14:00:21 nor after 2021-08-13 15:00:21
|
|
|
|
|
|
Error with cert number 4 in the file: certificate is not valid before 2018-08-16 20:28:20 nor after 2021-06-05 20:28:20
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
2022-01-07 15:41:27 -03:00
|
|
|
|
.. note::
|
|
|
|
|
|
|
|
|
|
|
|
Installing a new ``ssl_ca`` with ``system certificate-install -m ssl_ca``
|
|
|
|
|
|
or deleting an old ``ssl_ca`` with ``system certificate-uninstall`` must be
|
|
|
|
|
|
followed by locking and unlocking all controller nodes for the change to
|
|
|
|
|
|
take effect.
|
|
|
|
|
|
|
2020-08-31 11:01:56 -04:00
|
|
|
|
.. _add-a-trusted-ca-section-phr-jw4-3mb:
|
|
|
|
|
|
|
2021-10-21 16:20:15 -03:00
|
|
|
|
---------------------------------------------
|
|
|
|
|
|
System CLI – Trusted CA certificate uninstall
|
|
|
|
|
|
---------------------------------------------
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
|
|
To remove a Trusted |CA| Certificate, first list the trusted |CAs| by
|
|
|
|
|
|
running the following command:
|
|
|
|
|
|
|
|
|
|
|
|
.. code-block:: none
|
|
|
|
|
|
|
2021-03-15 16:56:04 -03:00
|
|
|
|
~(keystone_admin)]$ system certificate-list
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
2021-10-12 09:11:08 -04:00
|
|
|
|
where, all entries with certtype = ssl_ca are trusted |CA| certificates.
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
|
|
Then remove a Trusted |CA| Certificate from the list of trusted |CAs| by
|
|
|
|
|
|
running the following command:
|
|
|
|
|
|
|
|
|
|
|
|
.. code-block:: none
|
|
|
|
|
|
|
2021-03-15 16:56:04 -03:00
|
|
|
|
~(keystone_admin)]$ system certificate-uninstall -m ssl_ca <UUID>
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
|
|
where, <UUID> is the UUID of the ssl\_ca certtype to be removed.
|
|
|
|
|
|
|
2022-01-07 15:41:27 -03:00
|
|
|
|
.. note::
|
|
|
|
|
|
|
|
|
|
|
|
Installing a new ``ssl_ca`` with ``system certificate-install -m ssl_ca``
|
|
|
|
|
|
or deleting an old ``ssl_ca`` with ``system certificate-uninstall`` must be
|
|
|
|
|
|
followed by locking and unlocking all controller nodes for the change to
|
|
|
|
|
|
take effect.
|
|
|
|
|
|
|
2022-08-16 16:19:27 -04:00
|
|
|
|
------------------------------------
|
|
|
|
|
|
Update/Renew trusted CA certificates
|
|
|
|
|
|
------------------------------------
|
2021-10-21 16:20:15 -03:00
|
|
|
|
|
|
|
|
|
|
.. warning::
|
|
|
|
|
|
|
|
|
|
|
|
System trusted |CA| certificates can not be auto renewed, as they are not
|
|
|
|
|
|
owned by |prod|.
|
|
|
|
|
|
|
|
|
|
|
|
The administrator should update the trusted |CA| certificates following the
|
|
|
|
|
|
install/uninstall procedure as requested, or when trusted |CA| certificates
|
|
|
|
|
|
in use are approaching expiration.
|
|
|
|
|
|
|
|
|
|
|
|
For example, when the |CA| certificate signing an external Docker registry’s
|
|
|
|
|
|
server certificate needs to be renewed, either because an external Docker
|
|
|
|
|
|
registry has a new server certificate signed by a new |CA|, or the |CA|
|
|
|
|
|
|
certificate signing an external Docker registry’s current server certificate
|
|
|
|
|
|
approaching expiration, the administrator can update the |CA| certificate for
|
|
|
|
|
|
the external Docker registry access by uninstalling the old one, and installing
|
|
|
|
|
|
the new one.
|
