10.3. SSL Certificates

There is a single SSL certificate on each node host that is used for every application host name served by the host httpd proxy. OpenShift Enterprise supports associating a certificate with a specific application alias, distinguishing them by way of the SNI extension to the SSL protocol. However, the host-wide wildcard certificate should still be configured for use with default host names.
The certificate created by default can be used to provide an encrypted connection to applications. However, it is not properly secure and results in the following warning messages from your browser:
  1. The certificate common name (CN) does not match the application URL.
  2. The certificate is self-signed.
  3. Assuming the end-user accepts the certificate anyway, if the application gear is migrated between node hosts, the new host will present a different certificate from the one the browser has accepted previously.
Create a proper certificate so that application users do not receive some or all of the warning messages described above when attempting to access an application.

10.3.1. Creating a Matching Certificate

Create, or recreate, the certificate as a wildcard for the application domain so that it matches the published OpenShift Enterprise applications. Also create a new key because the default key is only 1024 bits in size, and a minimum size of 2048 bits is required by most certificate authorities. Use the following instructions to create a matching certificate.

Note

If you use the kickstart script, the configure_wildcard_ssl_cert_on_node function performs this step.

Procedure 10.4. To Create a Matching Certificate:

  1. Configure the $domain environment variable to simplify the process with the following command, replacing example.com with the domain name to suit your environment: 
    # domain=example.com
  2. Create the matching certificate using the following commands: 
    # cat << EOF | openssl req -new -rand /dev/urandom \
-newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/localhost.key \
-x509 -days 3650 \
-out /etc/pki/tls/certs/localhost.crt 2> /dev/null
XX
SomeState
SomeCity
SomeOrganization
SomeOrganizationalUnit
*.$domain
root@$domain
EOF
    The self-signed wildcard certificate created expires after 3650 days, or approximately 10 years.
  3. Restart the httpd service: 
    # service httpd restart