2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
.. law1570030645265
|
|
|
|
|
.. _install-update-the-starlingx-rest-and-web-server-certificate:
|
|
|
|
|
|
2021-05-20 14:11:59 -03:00
|
|
|
============================================================
|
2020-08-31 11:01:56 -04:00
|
|
|
Install/Update the StarlingX Rest and Web Server Certificate
|
2021-05-20 14:11:59 -03:00
|
|
|
============================================================
|
2020-08-31 11:01:56 -04:00
|
|
|
|
2021-10-21 16:20:15 -03:00
|
|
|
Use the following procedure to install or update the certificate for the |prod|
|
|
|
|
|
REST API application endpoints \(Keystone, Barbican and |prod|\) and the
|
|
|
|
|
|prod| web administration server.
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
.. rubric:: |prereq|
|
|
|
|
|
|
2021-10-21 16:20:15 -03:00
|
|
|
Obtain an intermediate or Root |CA|-signed server certificate and key from a
|
|
|
|
|
trusted Intermediate or Root |CA|. Refer to the documentation for the external
|
2021-03-15 16:56:04 -03:00
|
|
|
Intermediate or Root |CA| that you are using, on how to create public
|
|
|
|
|
certificate and private key pairs, signed by intermediate or a Root |CA|, for
|
|
|
|
|
HTTPS.
|
2020-08-31 11:01:56 -04:00
|
|
|
|
2021-05-20 14:11:59 -03:00
|
|
|
For lab purposes, see :ref:`Create Certificates Locally using openssl
|
|
|
|
|
<create-certificates-locally-using-openssl>` for how to create a test
|
2021-10-21 16:20:15 -03:00
|
|
|
Intermediate or Root |CA| certificate and key, and use it to sign test
|
|
|
|
|
server certificates.
|
2020-08-31 11:01:56 -04:00
|
|
|
|
2021-10-21 16:20:15 -03:00
|
|
|
Put the |PEM| encoded versions of the server certificate and key in a single
|
|
|
|
|
file, and copy the file to the controller host.
|
2020-08-31 11:01:56 -04:00
|
|
|
|
2021-06-03 10:23:18 -03:00
|
|
|
.. note::
|
2021-10-21 16:20:15 -03:00
|
|
|
|
|
|
|
|
If you plan to use the container-based remote CLIs, due to a limitation in
|
|
|
|
|
the Python2 SSL certificate validation, the certificate used for the |prod|
|
|
|
|
|
REST API application endpoints and |prod| Web Administration Server ('ssl')
|
|
|
|
|
certificate must either have:
|
2021-06-03 10:23:18 -03:00
|
|
|
|
2021-06-10 13:28:50 -04:00
|
|
|
#. CN=IPADDRESS and SANs=IPADDRESS
|
2021-06-03 10:23:18 -03:00
|
|
|
|
|
|
|
|
or
|
|
|
|
|
|
|
|
|
|
#. CN=FQDN and SANs=FQDN
|
|
|
|
|
|
2021-10-21 16:20:15 -03:00
|
|
|
where IPADDRESS and FQDN are for the OAM Floating IP Address.
|
2021-06-03 10:23:18 -03:00
|
|
|
|
|
|
|
|
|
2020-08-31 11:01:56 -04:00
|
|
|
.. rubric:: |proc|
|
|
|
|
|
|
|
|
|
|
- Install/update the copied certificate.
|
|
|
|
|
|
|
|
|
|
For example:
|
|
|
|
|
|
|
|
|
|
.. code-block:: none
|
|
|
|
|
|
2021-03-15 16:56:04 -03:00
|
|
|
~(keystone_admin)]$ system certificate-install -m ssl <pathTocertificateAndKey>
|
2020-08-31 11:01:56 -04:00
|
|
|
|
|
|
|
|
where:
|
|
|
|
|
|
|
|
|
|
**<pathTocertificateAndKey>**
|
|
|
|
|
|
2021-03-15 16:56:04 -03:00
|
|
|
is the path to the file containing both the intermediate or Root
|
2021-10-21 16:20:15 -03:00
|
|
|
|CA|-signed server certificate and private key to install.
|
|
|
|
|
|
|
|
|
|
.. warning::
|
2020-08-31 11:01:56 -04:00
|
|
|
|
2021-10-21 16:20:15 -03:00
|
|
|
The REST and Web Server certificate are not automatically renewed, user
|
|
|
|
|
MUST renew the certificate prior to expiry, otherwise a variety of system
|
|
|
|
|
operations will fail.
|
2020-08-31 11:01:56 -04:00
|
|
|
|
