4d8775ca61
Removed rst substitution from tables and inline markups. Updated table and reestructured sections in the overview. Fixed issues, reworded paragraphs, changed titles. Deleted unnecessary sections, added a new item to section and fixed editorial issues. Fixed editorial and formatting issues. Fixed more editorial and formatting issues. Fixed formatting and editorial issues. Added command line. Fixed command line. Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: I69874db16c76d5aceac706f2b8033771780500ca
68 lines
2.1 KiB
ReStructuredText
68 lines
2.1 KiB
ReStructuredText
|
|
.. law1570030645265
|
|
.. _install-update-the-starlingx-rest-and-web-server-certificate:
|
|
|
|
============================================================
|
|
Install/Update the StarlingX Rest and Web Server Certificate
|
|
============================================================
|
|
|
|
Use the following procedure to install or update the certificate for the |prod|
|
|
REST API application endpoints \(Keystone, Barbican and |prod|\) and the
|
|
|prod| web administration server.
|
|
|
|
.. rubric:: |prereq|
|
|
|
|
Obtain an intermediate or Root |CA|-signed server certificate and key from a
|
|
trusted Intermediate or Root |CA|. Refer to the documentation for the external
|
|
Intermediate or Root |CA| that you are using, on how to create public
|
|
certificate and private key pairs, signed by intermediate or a Root |CA|, for
|
|
HTTPS.
|
|
|
|
For lab purposes, see :ref:`Create Certificates Locally using openssl
|
|
<create-certificates-locally-using-openssl>` for how to create a test
|
|
Intermediate or Root |CA| certificate and key, and use it to sign test
|
|
server certificates.
|
|
|
|
Put the |PEM| encoded versions of the server certificate and key in a single
|
|
file, and copy the file to the controller host.
|
|
|
|
.. note::
|
|
|
|
If you plan to use the container-based remote CLIs, due to a limitation in
|
|
the Python2 SSL certificate validation, the certificate used for the |prod|
|
|
REST API application endpoints and |prod| Web Administration Server ('ssl')
|
|
certificate must either have:
|
|
|
|
#. CN=IPADDRESS and SANs=IPADDRESS
|
|
|
|
or
|
|
|
|
#. CN=FQDN and SANs=FQDN
|
|
|
|
where IPADDRESS and FQDN are for the OAM Floating IP Address.
|
|
|
|
|
|
.. rubric:: |proc|
|
|
|
|
- Install/update the copied certificate.
|
|
|
|
For example:
|
|
|
|
.. code-block:: none
|
|
|
|
~(keystone_admin)]$ system certificate-install -m ssl <pathTocertificateAndKey>
|
|
|
|
where:
|
|
|
|
**<pathTocertificateAndKey>**
|
|
|
|
is the path to the file containing both the intermediate or Root
|
|
|CA|-signed server certificate and private key to install.
|
|
|
|
.. warning::
|
|
|
|
The REST and Web Server certificate are not automatically renewed, user
|
|
MUST renew the certificate prior to expiry, otherwise a variety of system
|
|
operations will fail.
|
|
|