Appendix A. SSL/TLS Certificate Configuration
As an optional part of the processes outlined in Section 4.6, “Configuring the Director” or Section 6.11, “Enabling SSL/TLS on the Overcloud”, you can set SSL/TLS for communication on either the Undercloud or Overcloud. However, if using an SSL/TLS certificate with your own certificate authority, the certificate requires a certain configuration for use.
Creating a Certificate Authority
Normally you sign your SSL/TLS certificates with an external certificate authority. In some situations, you might aim to use your own certificate authority. For example, you might aim to have an internal-only certificate authority.
For example, generate a key and certificate pair to act as the certificate authority:
$ openssl genrsa -out ca.key.pem 4096 $ openssl req -key ca.key.pem -new -x509 -days 7300 -extensions v3_ca -out ca.crt.pem
The
openssl req command asks for certain details about your authority. Enter these details.
This creates the a certificate file called
ca.crt.pem. Copy this file to each client that aims to access your Red Hat Openstack Platform environment and run the following command to add it to the certificate authority trust bundle:
$ sudo cp ca.crt.pem /etc/pki/ca-trust/source/anchors/ $ sudo update-ca-trust extract
Creating an SSL/TLS Certificate
This next procedure creates a signed certificate for either the Undercloud and Overcloud.
Copy the default OpenSSL configuration file for customization.
$ cp /etc/pki/tls/openssl.cnf .
Edit the custom
openssl.cnf file and set SSL parameters to use for the director. An example of the types of parameters to modify include:
[req] distinguished_name = req_distinguished_name req_extensions = v3_req [req_distinguished_name] countryName = Country Name (2 letter code) countryName_default = AU stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Queensland localityName = Locality Name (eg, city) localityName_default = Brisbane organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Red Hat commonName = Common Name commonName_default = 192.168.0.1 commonName_max = 64 [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] IP.1 = 192.168.0.1 DNS.1 = 192.168.0.1 DNS.2 = instack.localdomain DNS.3 = vip.localdomain
Important
Set the
commonName_default to the IP address, or fully qualified domain name if using one, of the Public API:
- For the Undercloud, use the
undercloud_public_vipparameter inundercloud.conf. If using a fully qualified domain name for this IP address, use the domain name instead.
- For the Overcloud, use the IP address for the Public API, which is the first address for the
ExternalAllocationPoolsparameter in your network isolation environment file. If using a fully qualified domain name for this IP address, use the domain name instead.
Include the same Public API IP address as an IP entry and a DNS entry in the
alt_names section. If also using DNS, include the hostname for the server as DNS entries in the same section. For more information about openssl.cnf, run man openssl.cnf.
Run the following commands to generate the key (
server.key.pem), the certificate signing request (server.csr.pem), and the signed certificate (server.crt.pem):
$ openssl genrsa -out server.key.pem 2048 $ openssl req -config openssl.cnf -key server.key.pem -new -out server.csr.pem $ sudo openssl ca -config openssl.cnf -extensions v3_req -days 3650 -in server.csr.pem -out server.crt.pem -cert ca.cert.pem
Important
The
openssl req command asks for several details for the certificate, including the Common Name. Make sure the Common Name is set to the IP address of the Public API for the Undercloud or Overcloud (depending on which certificate set you are creating). The openssl.cnf file should use this IP address as a default value.
Use this key pair to create a SSL/TLS certificate for either the Undercloud or Overcloud.
Using the Certificate with the Undercloud
Run the following command to create the certificate:
$ cat server.crt.pem server.key.pem > undercloud.pem
This creates a
undercloud.pem for use with the undercloud_service_certificate option in the undercloud.conf file. This file also requires a special SELinux context so that the HAProxy tool can read it. Use the following example as a guide:
$ sudo mkdir /etc/pki/instack-certs $ sudo cp ~/undercloud.pem /etc/pki/instack-certs/. $ sudo semanage fcontext -a -t etc_t "/etc/pki/instack-certs(/.*)?" $ sudo restorecon -R /etc/pki/instack-certs
Add the certificate authority to the Undercloud's list of trusted Certificate Authorities:
$ sudo cp ca.crt.pem /etc/pki/ca-trust/source/anchors/ $ sudo update-ca-trust extract
Add the
undercloud.pem file location to the undercloud_service_certificate option in the undercloud.conf file. For example:
undercloud_service_certificate = /etc/pki/instack-certs/undercloud.pem
Continue installing the Undercloud as per the instructions in Section 4.6, “Configuring the Director”.
Using the Certificate with the Overcloud
Use the certificate with the
enable-tls.yaml file from Section 6.11, “Enabling SSL/TLS on the Overcloud”.
