ff0c830115
Added note. Patch 1: Worked on Ayyappa comments. Patch 2: Worked on Greg's comments. Patch 3: Worked on Mary's comments. Patch 4: Fixed typo. Signed-off-by: egoncalv <elisamaraaoki.goncalves@windriver.com> Change-Id: I27aab71790f8f21099189b8c2557627203186e9d
1.9 KiB
Install/Update the StarlingX Rest and Web Server Certificate
Use the following procedure to install or update the certificate for the REST API application endpoints (Keystone, Barbican and StarlingX) and the web administration server.
Obtain an intermediate or Root -signed certificate and key from a trusted intermediate or Root . Refer to the documentation for the external Intermediate or Root that you are using, on how to create public certificate and private key pairs, signed by intermediate or a Root , for HTTPS.
For lab purposes, see Create Certificates Locally using openssl
<create-certificates-locally-using-openssl> for how to
create a test intermediate or Root certificate and key, and use it to
sign test certificates.
Put the encoded versions of the certificate and key in a single file, and copy the file to the controller host.
Note
If you plan to use the container-based remote CLIs, due to a limitation in the Python2 SSL certificate validation, the certificate used for the 'ssl' certificate must either have:
CN=IPADDRESS and SANs=empty
or
CN=FQDN and SANs=FQDN
where IPADDRESS and FQDN are for the OAM Floating IP Address.
We recommend that you use the option 2, as CN is technically a deprecated field in the certificate.
Install/update the copied certificate.
For example:
~(keystone_admin)]$ system certificate-install -m ssl <pathTocertificateAndKey>where:
<pathTocertificateAndKey>
is the path to the file containing both the intermediate or Root -signed certificate and private key to install.