starlingx/docs
Code Issues Proposed changes
d466920c10
docs/doc/source/security/kubernetes/install-update-the-starlingx-rest-and-web-server-certificate.rst
Juanita Balaraj cb0245cfab Added RSA Key length (dsr8) 
Modified the note to include <the certificate file>
Removed trailing spaces and fixed Patchset 7 comments
Updated Patchset 6 comments and removed the word platform
Fixed formatting issues
Updated Patchset 4 comments
Added additional notes in multiple topics listed in the review
Updated the Security / Upgrade Guide with a note
Change-Id: If0a88e88268b2a4540b6abf97bc7b5ca9049747c
Signed-off-by: Juanita Balaraj <juanita.balaraj@windriver.com>

Change-Id: I5686cda10f4ac9b184f5ac1e6ceec003b09155d2
2023-06-28 04:44:19 +00:00

2.6 KiB
Raw Blame History

Install/Update the StarlingX Rest and Web Server Certificate

Use the following procedure to install or update the certificate for the REST API application endpoints (Keystone, Barbican and ) and the web administration server.

Obtain an intermediate or Root -signed server certificate and key from a trusted Intermediate or Root . Refer to the documentation for the external Intermediate or Root that you are using, on how to create public certificate and private key pairs, signed by intermediate or a Root , for HTTPS.

For lab purposes, see Create Certificates Locally using openssl <create-certificates-locally-using-openssl> for how to create a test Intermediate or Root certificate and key, and use it to sign test server certificates.

Put the encoded versions of the server certificate and key in a single file, and copy the file to the controller host.

Note

If you plan to use the container-based remote CLIs, due to a limitation in the Python2 SSL certificate validation, the certificate used for the REST API application endpoints and Web Administration Server ('ssl') certificate must either have:

  1. CN=IPADDRESS and SANs=IPADDRESS

    or

  2. CN=FQDN and SANs=FQDN

    where IPADDRESS and FQDN are for the OAM Floating IP Address.

  • Install/update the copied certificate.

    For example:

    ~(keystone_admin)]$ system certificate-install -m ssl <pathTocertificateAndKey>

    where:

    <pathTocertificateAndKey>

    is the path to the file containing both the intermediate or Root -signed server certificate and private key to install.

Warning

The REST and Web Server certificate are not automatically renewed, user MUST renew the certificate prior to expiry, otherwise a variety of system operations will fail.

Note

Ensure the certificates have RSA key length >= 2048 bits. The Release provides a new version of openssl which requires a minimum of 2048-bit keys for RSA for better security / encryption strength.

You can check the key length by running openssl x509 -in <the certificate file> -noout -text and looking for the "Public-Key" in the output. For more information see Create Certificates Locally using openssl <create-certificates-locally-using-openssl>.