Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 14. Certificate management

Manage TLS certificates for Red Hat Ceph Storage services with cephadm certificate manager (certmgr). Supports self-signed and bring-your-own certificates.

cephadm certmgr acts as the Root Certificate Authority (CA) for all self-signed certificates generated by cephadm. For services that require SSL, admins can either bring their own certificate or allow cephadm to generate a self-signed certificate. This ensures secure communication while offering flexibility for deployment preferences.

cephadm certmgr automatically detects whether a certificate is self-signed (generated by cephadm) or user-provided as an embedded value in the spec, or referenced externally. This distinction determines how it handles expirations and renewals.

Self-signed certificates
  • certmgr fully automates renewal, helping to ensure seamless service operation.
  • Automation is controlled by configuration parameters defining certificate duration, renewal thresholds, and whether automated rotation is enabled.
User-provided certificates

There are two types of user-provided certificates: inline and reference.

Inline certificates
Certificates are embedded in the service specification. The certificates cannot be modified directly with certmgr.
Reference certificates
Certificates are set and managed with certmgr. These certificates must be manually uploaded.

For more information about how certmgr handles user-provided certificate expiration, see Certificate health monitoring.

Lifecycle configuration

To manage certificate lifecycles, certmgr continuously monitors certificates and applies renewal policies based on the certificate type and configured parameters. Cephadm provides several configuration options to manage certificate lifecycle and renewal.

See the following table for details on configuration options, values, and descriptions.

Expand
Table 14.1. certmgr certificate lifecycle configuration options
ConfigurationValuesDescription

mgr/cephadm/certificate_automated_rotation_enabled

True (default), False

Enabled by default. Controls whether cephadm automatically rotates certificates upon expiration. When disabled, cephadm will still check certificates but will issue a health error/warning instead of renewing expired self-signed certificates.

mgr/cephadm/certificate_duration_days

3 * 365 (default), min: 90, max: 10*365

Specifies the duration (in days) of self-signed certificates generated and signed by the cephadm root CA. Determines validity period before renewal is required.

mgr/cephadm/certificate_renewal_threshold_days

30 (default), min: 10, max: 90

Number of days before a certificate’s expiration when cephadm should initiate renewal. Applies to both self-signed and user-provided certificates. For user-provided certificates, cephadm will issue a health error or warning as the renewal period approaches.

mgr/cephadm/certificate_check_period

1 (default), min: 0, max: 30

How often (in days) the certificate should be checked for validity. Setting to 0 disables certificate check functionality.

Certificate health monitoring

Cephadm continuously monitors the status of all managed certificates, both self-signed and user-provided.

  • If a certificate is invalid or has already expired, cephadm issues a health error (CEPHADM_CERT_ERROR) to alert administrators.
  • If a certificate is approaching its expiration date, as determined by the configured mgr/cephadm/certificate_renewal_threshold_days, cephadm issues a health warning.

Self-signed certificates are automatically renewed by cephadm if automation is enabled, but user-provided certificates cannot be renewed automatically. In either case, cephadm alerts administrators so they can take timely action. This proactive monitoring helps ensure uninterrupted service operation while giving users control over their certificate policies.

SSL fields in service specifications

Service specifications supporting SSL/TLS can define certain fields, as needed. See the following table for the optional configuration fields and their values.

Note

If you set ssl to true without additional configuration, the certificate manager issues cephadm‑signed certificates for the service by default.

Expand
Table 14.2. Optional SSL configuration fields
FieldValues

ssl

Boolean to enable/disable SSL.

ssl_cert

Use for inline: certificate content.

ssl_key

Use for inline: key content.

certificate_source

One of: inline, reference, cephadm_signed

Note

If certificate_source is set to reference and the certificate is missing, you must upload both the certificate and the key. Use the names shown in the output of the ceph orch certmgr bindings ls command, which lists the certificate and key names available for each service. 

ceph orch certmgr cert set --cert-name CERT_NAME --service-name SERVICE_NAME -i CERT_KEY_PEM_FILE
Copy to Clipboard Toggle word wrap

Certificate scopes

cephadm certmgr supports three different scopes for certificate management: global, per-host, and per-service.

Expand
Table 14.3. Certificate scopes
ScopeDescriptionExample services

Global

Certificates in this scope are shared across all service daemons, regardless of which host they are running on.

mgmt-gateway certificate is a globally shared certificate used by all service daemons.

Per-host

Certificates are assigned per host, meaning each host has its own unique certificate. When configuring a custom certificate, the user must specify the host for which the certificate applies.

grafana service certificates are configured at the host level and apply specifically to a single machine.

Per-service

Certificates are configured per service name, where each service instance can have its own certificate. When specifying a custom certificate, the user must define the service to which it belongs.

An rgw service certificate is assigned specifically and only to a Ceph Object Gateway service.

14.1. Manage certificates with certmgr
Copiar enlace

Use certmgr to list, check, retrieve, upload, generate, and remove TLS certificates and keys for Red Hat Ceph Storage services.

Prerequisites

Before you begin, make sure that you have the following prerequisites in place:

  • A running Red Hat Ceph Storage cluster with cephadm.
  • Administrator access to the cephadm shell.

List certificates

List all certificates that certmgr manages.

List all certificates, by using the certmgr cert ls command.

Note

By default, the command omits cephadm-signed certificates. To include the cephadm-signed certificates, use the --include-cephadm-signed option. 

ceph orch certmgr cert ls
Copy to Clipboard Toggle word wrap

The certmgr cert ls command includes the following filtering options:

--show-details
The basic command displays an overview of all certificates currently managed by Cephadm. Use the --show-details option to include additional information such as issuing authorities and certificate extensions.
--include-cephadm-signed
Use this option to include cephadm-signed certificates.
--filter-by
Filter by name, status, and scope. 
ceph orch certmgr cert ls [--show-details] [--include-cephadm-signed] [--filter-by EXPRESSION]
Copy to Clipboard Toggle word wrap

Example

​[ceph: root@host01 /]# ceph orch certmgr cert ls --include-cephadm-signed
[ceph: root@host01 /]# ceph orch certmgr cert ls --filter-by "status=expired"
[ceph: root@host01 /]# ceph orch certmgr cert ls --filter-by "scope=service,status=expiring"
[ceph: root@host01 /]# ceph orch certmgr cert ls --include-cephadm-signed --filter-by "name=rgw*,status=valid"
Copy to Clipboard Toggle word wrap

List certificate bindings

Show bindings between services (consumers) and the certificates/keys managed by certmgr.

You will reuse these names when retrieving or setting scoped material.

Display all entities that are associated with managed certificates. 

ceph orch certmgr bindings ls
Copy to Clipboard Toggle word wrap

Check certificate status

Validate integrity and expiration across all managed certificates.

Check the validity and expiration for certificates that certmgr manages. 

ceph orch certmgr cert check
Copy to Clipboard Toggle word wrap

List certificate keys

List private keys managed by certmgr.

List the private keys.

Note

By default, the command omits cephadm-signed keys. To include the cephadm-signed keys, use the --include-cephadm-signed option. 

ceph orch certmgr key ls [--include-cephadm-signed]
Copy to Clipboard Toggle word wrap

Retrieve a certificate

Retrieve a certificate for inspection or export.

Before you begin, identify the certificate name and relevant service_name or hostname. Use these when the certificate scope is per-service or per-host. For more information, see List certificate bindings.

Get the PEM content of a specific certificate for inspection or export. 

ceph orch certmgr cert get CERTIFICATE_NAME [--service_name SERVICE_NAME] [--hostname HOSTNAME] [--no-exception-when-missing]
Copy to Clipboard Toggle word wrap

Replace CERTIFICATE_NAME with the certificate name. * Use the --service_name argument for certificates with service scope. * Use the --hostname argument for certificates with host scope.

Retrieve a certificate key

Retrieve a private key associated with a specific certificate.

Before you begin, identify the key name and relevant service_name or hostname. Use these when the certificate scope is per-service or per-host. For more information, see List certificate bindings.

Get the private key. 

ceph orch certmgr key get KEY_NAME [--service_name SERVICE_NAME] [--hostname HOSTNAME] [--no-exception-when-missing]
Copy to Clipboard Toggle word wrap

Replace KEY_NAME with the certificate key name.

  • Use the --service_name argument for certificates with service scope.
  • Use the --hostname argument for certificates with host scope.

Set a certificate-key pair

Set a certificate-key pair to upload or replace an existing certificate-key pair for a certain service.

Before you begin, make sure that you have the following prerequisites in place: * Identify the certificate name to use as the SERVICE_TYPE. * Identify other relevant fields, as needed, such as the service_name or hostname.

For more information, see List certificate bindings.

Set the certificate-key pair for a service. 

ceph orch certmgr cert-key set SERVICE_TYPE [--cert CERTIFICATE] [--key KEY] [--service_name SERVICE_NAME] [--hostname HOSTNAME] [-i CERT_KEY_PATH] [--force]
Copy to Clipboard Toggle word wrap

Use the -i option to specify a file containing a combined certificate and key in PEM format.

Note

When specifying a combined certificate and key be sure that the file contains both the certificate and private key placed together in a single PEM file in sequence.

Set a certificate

Add or replace an existing certificate.

Set or update the certificate. 

ceph orch certmgr cert set CERTIFICATE_NAME [--cert CERTIFICATE] [--service_name SERVICE_NAME] [--hostname HOSTNAME] [-i CERT_KEY_PATH]
Copy to Clipboard Toggle word wrap

Set a certificate key

Administrators can provide new private keys for services.

Set or update the key. 

ceph orch certmgr key set KEY_NAME [--key KEY] [--service_name SERVICE_NAME] [--hostname HOSTNAME] [-i CERT_KEY_PATH]
Copy to Clipboard Toggle word wrap

Remove a certificate

Use this information to remove an existing certificate.

Removing a certificate requires a valid certificate name. To get the certificate name, use the certmgr cert ls command. for more information, see List certificates.

Remove an existing certificate. 

ceph orch certmgr cert rm CERTIFICATE_NAME [--service_name SERVICE_NAME] [--hostname HOSTNAME]
Copy to Clipboard Toggle word wrap
  • Use the --service_name argument for certificates with service scope.
  • Use the --hostname argument for certificates with host scope.

Remove a certificate key

Use this information to remove an existing private keys.

Removing a private key requires a valid key name. To get the key name, use the certmgr key ls command. for more information, see List certificate keys.

Remove an existing key. 

ceph orch certmgr key rm KEY_NAME [--key KEY] [--service_name SERVICE_NAME] [--hostname HOSTNAME]
Copy to Clipboard Toggle word wrap
  • Use the --service_name argument for certificates with service scope.
  • Use the --hostname argument for certificates with host scope.

Generate certificates for a module

Automatically provision certificates for a Manager module.

Generating certificates for a specified Manager module is typically used for specified modules that require automatic TLS provisioning, such as the Ceph Dashboard.

Generate a new certificate. 

ceph orch certmgr generate-certificates MODULE_NAME
Copy to Clipboard Toggle word wrap
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2026 Red HatVolver arriba