Appendix A. SSL/TLS Certificate Configuration

As an optional part of the processes outlined in Section 4.6, “Configuring the Director” or Section 6.11, “Enabling SSL/TLS on the Overcloud”, you can set SSL/TLS for communication on either the Undercloud or Overcloud. However, if using an SSL/TLS certificate with your own certificate authority, the certificate requires a certain configuration for use.

Creating a Certificate Authority

Normally you sign your SSL/TLS certificates with an external certificate authority. In some situations, you might aim to use your own certificate authority. For example, you might aim to have an internal-only certificate authority.
For example, generate a key and certificate pair to act as the certificate authority:
$ openssl genrsa -out ca.key.pem 4096
$ openssl req  -key ca.key.pem -new -x509 -days 7300 -extensions v3_ca -out ca.crt.pem
The openssl req command asks for certain details about your authority. Enter these details.
This creates the a certificate file called ca.crt.pem. Copy this file to each client that aims to access your Red Hat Openstack Platform environment and run the following command to add it to the certificate authority trust bundle:
$ sudo cp ca.crt.pem /etc/pki/ca-trust/source/anchors/
$ sudo update-ca-trust extract

Creating an SSL/TLS Certificate

This next procedure creates a signed certificate for either the Undercloud and Overcloud.
Copy the default OpenSSL configuration file for customization.
$ cp /etc/pki/tls/openssl.cnf .
Edit the custom openssl.cnf file and set SSL parameters to use for the director. An example of the types of parameters to modify include:
distinguished_name = req_distinguished_name
req_extensions = v3_req

countryName = Country Name (2 letter code)
countryName_default = AU
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Queensland
localityName = Locality Name (eg, city)
localityName_default = Brisbane
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Red Hat
commonName = Common Name
commonName_default =
commonName_max = 64

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

IP.1 =
DNS.1 =
DNS.2 = instack.localdomain
DNS.3 = vip.localdomain


Set the commonName_default to the IP address, or fully qualified domain name if using one, of the Public API:
  • For the Undercloud, use the undercloud_public_vip parameter in undercloud.conf. If using a fully qualified domain name for this IP address, use the domain name instead.
  • For the Overcloud, use the IP address for the Public API, which is the first address for the ExternalAllocationPools parameter in your network isolation environment file. If using a fully qualified domain name for this IP address, use the domain name instead.
Include the same Public API IP address as an IP entry and a DNS entry in the alt_names section. If also using DNS, include the hostname for the server as DNS entries in the same section. For more information about openssl.cnf, run man openssl.cnf.
Run the following commands to generate the key (server.key.pem), the certificate signing request (server.csr.pem), and the signed certificate (server.crt.pem):
$ openssl genrsa -out server.key.pem 2048
$ openssl req -config openssl.cnf -key server.key.pem -new -out server.csr.pem
$ sudo openssl ca -config openssl.cnf -extensions v3_req -days 3650 -in server.csr.pem -out server.crt.pem -cert ca.cert.pem


The openssl req command asks for several details for the certificate, including the Common Name. Make sure the Common Name is set to the IP address of the Public API for the Undercloud or Overcloud (depending on which certificate set you are creating). The openssl.cnf file should use this IP address as a default value.
Use this key pair to create a SSL/TLS certificate for either the Undercloud or Overcloud.

Using the Certificate with the Undercloud

Run the following command to create the certificate:
$ cat server.crt.pem server.key.pem > undercloud.pem
This creates a undercloud.pem for use with the undercloud_service_certificate option in the undercloud.conf file. This file also requires a special SELinux context so that the HAProxy tool can read it. Use the following example as a guide:
$ sudo mkdir /etc/pki/instack-certs
$ sudo cp ~/undercloud.pem /etc/pki/instack-certs/.
$ sudo semanage fcontext -a -t etc_t "/etc/pki/instack-certs(/.*)?"
$ sudo restorecon -R /etc/pki/instack-certs
Add the certificate authority to the Undercloud's list of trusted Certificate Authorities:
$ sudo cp ca.crt.pem /etc/pki/ca-trust/source/anchors/
$ sudo update-ca-trust extract
Add the undercloud.pem file location to the undercloud_service_certificate option in the undercloud.conf file. For example:
undercloud_service_certificate = /etc/pki/instack-certs/undercloud.pem
Continue installing the Undercloud as per the instructions in Section 4.6, “Configuring the Director”.

Using the Certificate with the Overcloud

Use the certificate with the enable-tls.yaml file from Section 6.11, “Enabling SSL/TLS on the Overcloud”.