Chapter 15. Configuring custom SSL/TLS certificates

Procedure

1. The /etc/pki/CA/index.txt file contains records of all signed certificates. Check if this file exists. If it does not exist, create an empty file:

   $ sudo touch /etc/pki/CA/index.txt

   Copy to Clipboard Toggle word wrap

2. The /etc/pki/CA/serial file identifies the next serial number to use for the next certificate to sign. Check if this file exists. If the file does not exist, create a new file with a new starting value:

   $ echo '1000' | sudo tee /etc/pki/CA/serial

   Copy to Clipboard Toggle word wrap

Procedure

1. Generate a key and certificate pair to act as the certificate authority:

1. The openssl req command asks for certain details about your authority. Enter these details at the prompt.

Procedure

1. Copy the certificate authority to the client system:

   $ sudo cp ca.crt.pem /etc/pki/ca-trust/source/anchors/

   Copy to Clipboard Toggle word wrap

2. After you copy the certificate authority file to each client, run the following command on each client to add the certificate to the certificate authority trust bundle:

   $ sudo update-ca-trust extract

   Copy to Clipboard Toggle word wrap

Procedure

1. Run the following command to generate the SSL/TLS key (server.key.pem):

   $ openssl genrsa -out server.key.pem 2048

   Copy to Clipboard Toggle word wrap

Procedure

1. Copy the default OpenSSL configuration file:

   $ cp /etc/pki/tls/openssl.cnf .

   Copy to Clipboard Toggle word wrap

2. Edit the new openssl.cnf file and configure the SSL parameters to use for the director. An example of the types of parameters to modify include:

   [req]
   distinguished_name = req_distinguished_name
   req_extensions = v3_req
   
   [req_distinguished_name]
   countryName = Country Name (2 letter code)
   countryName_default = AU
   stateOrProvinceName = State or Province Name (full name)
   stateOrProvinceName_default = Queensland
   localityName = Locality Name (eg, city)
   localityName_default = Brisbane
   organizationalUnitName = Organizational Unit Name (eg, section)
   organizationalUnitName_default = Red Hat
   commonName = Common Name
   commonName_default = 192.168.0.1
   commonName_max = 64
   
   [ v3_req ]
   # Extensions to add to a certificate request
   basicConstraints = CA:FALSE
   keyUsage = nonRepudiation, digitalSignature, keyEncipherment
   subjectAltName = @alt_names
   
   [alt_names]
   IP.1 = 192.168.0.1
   DNS.1 = instack.localdomain
   DNS.2 = vip.localdomain
   DNS.3 = 192.168.0.1

   Copy to Clipboard Toggle word wrap

   Set the commonName_default to one of the following entries:

   • If using an IP address to access the director over SSL/TLS, use the undercloud_public_host parameter in undercloud.conf.

   • If using a fully qualified domain name to access the director over SSL/TLS, use the domain name.

     Add subjectAltName = @alt_names to the v3_req section.

     Edit the alt_names section to include the following entries:

   • IP - A list of IP addresses that clients use to access the director over SSL.
   • DNS - A list of domain names that clients use to access the director over SSL. Also include the Public API IP address as a DNS entry at the end of the alt_names section.
   Note

   For more information about openssl.cnf, run the man openssl.cnf command.

3. Run the following command to generate a certificate signing request (server.csr.pem):

   $ openssl req -config openssl.cnf -key server.key.pem -new -out server.csr.pem

   Copy to Clipboard Toggle word wrap

   Ensure that you include your OpenStack SSL/TLS key with the -key option.

Procedure

1. Run the following command to create a certificate for your undercloud or overcloud:

   $ sudo openssl ca -config openssl.cnf -extensions v3_req -days 3650 -in server.csr.pem -out server.crt.pem -cert ca.crt.pem -keyfile ca.key.pem

   Copy to Clipboard Toggle word wrap

   This command uses the following options:

   -config

   Use a custom configuration file, which is our openssl.cnf file with v3 extensions.

   -extensions v3_req

   Enabled v3 extensions.

   -days

   Defines how long in days until the certificate expires.

   -in'

   The certificate signing request.

   -out

   The resulting signed certificate.

   -cert

   The certificate authority file.

   -keyfile

   The certificate authority private key.

Procedure

1. Run the following command to combine the certificate and key:

   $ cat server.crt.pem server.key.pem > undercloud.pem

   Copy to Clipboard Toggle word wrap

   This command creates a undercloud.pem file.

2. Copy the undercloud.pem file to a location within your /etc/pki directory and set the necessary SELinux context so that HAProxy can read it:

   $ sudo mkdir /etc/pki/undercloud-certs
   $ sudo cp ~/undercloud.pem /etc/pki/undercloud-certs/.
   $ sudo semanage fcontext -a -t etc_t "/etc/pki/undercloud-certs(/.*)?"
   $ sudo restorecon -R /etc/pki/undercloud-certs

   Copy to Clipboard Toggle word wrap

3. Add the undercloud.pem file location to the undercloud_service_certificate option in the undercloud.conf file:

   undercloud_service_certificate = /etc/pki/undercloud-certs/undercloud.pem

   Copy to Clipboard Toggle word wrap

4. Ensure you add the certificate authority that signed the certificate to the undercloud’s list of trusted Certificate Authorities so that different services within the undercloud have access to the certificate authority:

   $ sudo cp ca.crt.pem /etc/pki/ca-trust/source/anchors/
   $ sudo update-ca-trust extract

   Copy to Clipboard Toggle word wrap