From b71cb7758c1e0959295fda5651f64123f7a70d57 Mon Sep 17 00:00:00 2001
From: Juanita-Balaraj <juanita.balaraj@windriver.com>
Date: Thu, 29 Jul 2021 19:23:57 -0400
Subject: [PATCH] Certificate Update

Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com>
Change-Id: I6345e6be7e31e12d2f81bb6d35788896ddddcbf9
---
 ...stall-rest-api-and-horizon-certificate.rst | 40 +++++++++----------
 1 file changed, 19 insertions(+), 21 deletions(-)

diff --git a/doc/source/security/openstack/install-rest-api-and-horizon-certificate.rst b/doc/source/security/openstack/install-rest-api-and-horizon-certificate.rst
index d2a1ff49f..49f8822bd 100644
--- a/doc/source/security/openstack/install-rest-api-and-horizon-certificate.rst
+++ b/doc/source/security/openstack/install-rest-api-and-horizon-certificate.rst
@@ -13,32 +13,31 @@ sections on :ref:`Accessing the System <access-using-the-default-set-up>`.
 
 .. rubric:: |prereq|
 
-Before installing the openstack certificate and key, you must install the ROOT
-|CA| for the openstack certificate as a trusted ca, :ref:`Install a Trusted CA
-Certificate <install-a-trusted-ca-certificate>`.
+Obtain an Intermediate or Root CA-signed certificate and key from a trusted
+Intermediate or Root CA. The OpenStack certificate should be created with a
+wildcard SAN, for example:
+
+.. code-block:: none
+
+    X509v3 extensions:
+    X509v3 Subject Alternative Name:
+    DNS:*.west2.us.example.com
+
 
 .. rubric:: |proc|
 
-#.  Install the certificate for OpenStack as Helm chart overrides.
+#.  Put the |PEM| encoded versions of the OpenStack certificate and key in a
+    single file (e.g. **openstack-cert-key.pem**), and put the certificate of
+    the Root CA in a separate file (e.g. **openstack-ca-cert.pem**), and copy
+    the files to the controller host.
+
+#.  Install the certificate as the OpenStack REST API / Horizon Certificate.
 
     .. code-block:: none
 
-        ~(keystone_admin)$ system certificate-install -m openstack <certificate_file>
-
-    where <certificate\_file> is a pem file containing both the certificate and
-    private key.
-
-    .. note::
-        The OpenStack certificate must be created with wildcard |SAN|.
-
-        For example, to create a certificate for |FQDN|: west2.us.example.com,
-        the following entry must be included in the certificate:
-
-        .. code-block:: none
-
-            X509v3 extensions:
-            X509v3 Subject Alternative Name:
-            DNS:*.west2.us.example.com
+        ~(keystone_admin)]$ system certificate-install -m ssl_ca openstack-ca-cert.pem
+        ~(keystone_admin)]$ system certificate-install -m openstack_ca openstack-ca-cert.pem
+        ~(keystone_admin)$ system certificate-install -m openstack openstack-cert-key.pem
 
 #.  Apply the Helm chart overrides containing the certificate changes.
 
@@ -46,4 +45,3 @@ Certificate <install-a-trusted-ca-certificate>`.
 
         ~(keystone_admin)$ system application-apply wr-openstack
 
-