Chapter 16. Configuring custom SSL/TLS certificates
You can configure the undercloud to use SSL/TLS for communication over public endpoints. However, if want to you use a SSL certificate with your own certificate authority, you must complete the following configuration steps.
16.1. Initializing the signing host
The signing host is the host that generates and signs new certificates with a certificate authority. If you have never created SSL certificates on the chosen signing host, you might need to initialize the host so that it can sign new certificates.
/etc/pki/CA/index.txtfile contains records of all signed certificates. Check if this file exists. If it does not exist, create an empty file:
$ sudo touch /etc/pki/CA/index.txt
/etc/pki/CA/serialfile identifies the next serial number to use for the next certificate to sign. Check if this file exists. If the file does not exist, create a new file with a new starting value:
$ echo '1000' | sudo tee /etc/pki/CA/serial
16.4. Creating an SSL/TLS key
Enabling SSL/TLS on an OpenStack environment requires an SSL/TLS key to generate your certificates. This procedure shows how to generate this key.
Run the following command to generate the SSL/TLS key (
$ openssl genrsa -out server.key.pem 2048
16.5. Creating an SSL/TLS certificate signing request
Complete the following procedure to create a certificate signing request.
Copy the default OpenSSL configuration file:
$ cp /etc/pki/tls/openssl.cnf .
Edit the new
openssl.cnffile and configure the SSL parameters to use for the director. An example of the types of parameters to modify include:
[req] distinguished_name = req_distinguished_name req_extensions = v3_req [req_distinguished_name] countryName = Country Name (2 letter code) countryName_default = AU stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Queensland localityName = Locality Name (eg, city) localityName_default = Brisbane organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Red Hat commonName = Common Name commonName_default = 192.168.0.1 commonName_max = 64 [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] IP.1 = 192.168.0.1 DNS.1 = instack.localdomain DNS.2 = vip.localdomain DNS.3 = 192.168.0.1
commonName_defaultto one of the following entries:
If using an IP address to access the director over SSL/TLS, use the
If using a fully qualified domain name to access the director over SSL/TLS, use the domain name.
subjectAltName = @alt_namesto the
alt_namessection to include the following entries:
IP- A list of IP addresses that clients use to access the director over SSL.
DNS- A list of domain names that clients use to access the director over SSL. Also include the Public API IP address as a DNS entry at the end of the
For more information about
openssl.cnf, run the
- If using an IP address to access the director over SSL/TLS, use the
Run the following command to generate a certificate signing request (
$ openssl req -config openssl.cnf -key server.key.pem -new -out server.csr.pem
Ensure that you include your OpenStack SSL/TLS key with the
This command results in an
server.csr.pem file, which is the certificate signing request. Use this file to create your OpenStack SSL/TLS certificate.
16.6. Creating the SSL/TLS certificate
This procedure shows how to generate the certificate for your OpenStack environment. This requires the following files:
- The customized configuration file specifying the v3 extensions.
- The certificate signing request to generate and sign the certificate with a certificate authority.
- The certificate authority, which signs the certificate.
- The certificate authority private key.
Run the following command to create a certificate for your undercloud or overcloud:
$ sudo openssl ca -config openssl.cnf -extensions v3_req -days 3650 -in server.csr.pem -out server.crt.pem -cert ca.crt.pem -keyfile ca.key.pem
This command uses the following options:
Use a custom configuration file, which is our
openssl.cnffile with v3 extensions.
- Enabled v3 extensions.
- Defines how long in days until the certificate expires.
- The certificate signing request.
- The resulting signed certificate.
- The certificate authority file.
- The certificate authority private key.
This command creates a new certificate named
server.crt.pem. Use this certificate in conjunction with your OpenStack SSL/TLS key
16.7. Adding the certificate to the undercloud
Complete the following steps to add your OpenStack SSL/TLS certificate to the undercloud trust bundle.
Run the following command to combine the certificate and key:
$ cat server.crt.pem server.key.pem > undercloud.pem
This command creates a
undercloud.pemfile to a location within your
/etc/pkidirectory and set the necessary SELinux context so that HAProxy can read it:
$ sudo mkdir /etc/pki/undercloud-certs $ sudo cp ~/undercloud.pem /etc/pki/undercloud-certs/. $ sudo semanage fcontext -a -t etc_t "/etc/pki/undercloud-certs(/.*)?" $ sudo restorecon -R /etc/pki/undercloud-certs
undercloud.pemfile location to the
undercloud_service_certificateoption in the
undercloud_service_certificate = /etc/pki/undercloud-certs/undercloud.pem
Ensure you add the certificate authority that signed the certificate to the undercloud’s list of trusted Certificate Authorities so that different services within the undercloud have access to the certificate authority:
$ sudo cp ca.crt.pem /etc/pki/ca-trust/source/anchors/ $ sudo update-ca-trust extract
Continue installing the undercloud.