starlingx/docs
Code Issues Proposed changes

Merge "Certificate Update"

Browse Source
This commit is contained in:
Zuul 2021-07-30 14:09:55 +00:00 committed by Gerrit Code Review
commit dcd4a4a202
1 changed files with 19 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
doc/source/security/openstack/install-rest-api-and-horizon-certificate.rst
View File

@ -13,32 +13,31 @@ sections on :ref:`Accessing the System <access-using-the-default-set-up>`.
.. rubric:: |prereq| .. rubric:: |prereq|
Before installing the openstack certificate and key, you must install the ROOT Obtain an Intermediate or Root CA-signed certificate and key from a trusted
|CA| for the openstack certificate as a trusted ca, :ref:`Install a Trusted CA Intermediate or Root CA. The OpenStack certificate should be created with a
Certificate <install-a-trusted-ca-certificate>`. wildcard SAN, for example:
.. code-block:: none
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:*.west2.us.example.com
.. rubric:: |proc| .. rubric:: |proc|
#. Install the certificate for OpenStack as Helm chart overrides. #. Put the |PEM| encoded versions of the OpenStack certificate and key in a
single file (e.g. **openstack-cert-key.pem**), and put the certificate of
the Root CA in a separate file (e.g. **openstack-ca-cert.pem**), and copy
the files to the controller host.
#. Install the certificate as the OpenStack REST API / Horizon Certificate.
.. code-block:: none .. code-block:: none
~(keystone_admin)$ system certificate-install -m openstack <certificate_file> ~(keystone_admin)]$ system certificate-install -m ssl_ca openstack-ca-cert.pem
~(keystone_admin)]$ system certificate-install -m openstack_ca openstack-ca-cert.pem
where <certificate\_file> is a pem file containing both the certificate and ~(keystone_admin)$ system certificate-install -m openstack openstack-cert-key.pem
private key.
.. note::
The OpenStack certificate must be created with wildcard |SAN|.
For example, to create a certificate for |FQDN|: west2.us.example.com,
the following entry must be included in the certificate:
.. code-block:: none
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:*.west2.us.example.com
#. Apply the Helm chart overrides containing the certificate changes. #. Apply the Helm chart overrides containing the certificate changes.
@ -46,4 +45,3 @@ Certificate <install-a-trusted-ca-certificate>`.
~(keystone_admin)$ system application-apply wr-openstack ~(keystone_admin)$ system application-apply wr-openstack