5a6d92789c
Update to reflect handling of expired certificates. Incorporated patchset1 review comments. Incorporated patchset2 review comments. Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: I84de3ae0b37b949005d5ef306830a676e3eb8877
4.6 KiB
Manage Trusted CA Certificates
Generally a trusted certificate needs to be added if clients on the hosts will be connecting to server(s) secured with SSL and whose certificate is signed by an unknown .
For example, a trusted certificate is required if your helm charts or yaml manifest files refer to images stored in a docker registry whose certificate has been signed by an unknown Certificate Authority.
Trusted certificates can be added as part of the Ansible Bootstrap Playbook or by using the StarlingX/system REST API or CLI after installation.
Ansible Bootstrap Playbook
A trusted certificate may need to be specified as an override parameter for the Ansible Bootstrap Playbook. Specifically, if the docker registries, specified by the bootstrap overrides file, use a certificate signed by an unknown . If this is the case then the ssl_ca_cert parameter needs to be specified in the ansible overrides file, /home/sysadmin/localhost.yml, as part of bootstrap in the installation procedure.
For example:
ssl_ca_cert: /path/to/ssl_ca_cert_fileThe ssl_ca_cert value is the absolute path of the file containing the certificate(s) to trust. The certificate(s) must be in format and the file may contain one or more certificates.
StarlingX/System CLI – Trusted CA Certificate Install
After installation, adding a trusted to the system may be required. This is the case if images stored in a docker registry, whose certificate has been signed by a not-well-known Certificate Authority, are referred to by helm charts and/or yaml manifest files.
Multiple trusted certificates can be added with single install command by including multiple certificates in the specified file.
The certificate must be in file format.
From the command line, run the certificate-install command.
~(keystone_admin)]$ system certificate-install -m ssl_ca <trusted-ca-bundle-pem-file>where <trusted-ca-bundle-pem-file> contains 1 or
more public certificates of CAs that should be trusted by .
The system will print a list of the certificates that were successfully installed from the file and a list of certificates that were not installed from the file due to a certificate error.
For example:
~(keystone_admin)]$ system certificate-install -m ssl_ca ext-registry-ca-certificates.pem
+-------------+------------------------------------------------+
| Property | Value |
+-------------+------------------------------------------------+
| uuid | 5f677003-a08a-4725-9082-2b4ea81b33d5 |
| certtype | ssl_ca |
| signature | ssl_ca_252107869940582877573916937829152170776 |
| start_date | 2021-08-17 01:48:21+00:00 |
| expiry_date | 2021-08-17 02:48:21+00:00 |
+-------------+------------------------------------------------+
WARNING: Some certificates were not installed.
Error with cert number 2 in the file: certificate is not valid before 2021-08-13 14:00:21 nor after 2021-08-13 15:00:21
Error with cert number 3 in the file: certificate is not valid before 2021-08-13 14:00:21 nor after 2021-08-13 15:00:21
Error with cert number 4 in the file: certificate is not valid before 2018-08-16 20:28:20 nor after 2021-06-05 20:28:20StarlingX/System CLI – Trusted CA Certificate Uninstall
To remove a Trusted Certificate, first list the trusted by running the following command:
~(keystone_admin)]$ system certificate-listwhere, all entries with certtype = ssl_ca are trusted certificates.
Then remove a Trusted Certificate from the list of trusted by running the following command:
~(keystone_admin)]$ system certificate-uninstall -m ssl_ca <UUID>where, <UUID> is the UUID of the ssl_ca certtype to be removed.