Custom FQDN and Certificates

Custom FQDN

If you would like to have the management plane served on a different FQDN, set the duFqdn field in the airctl config file. For example, if you would like your management plane FQDN to be mg-plane.example.com, you would set:

duFqdn: mg-plane.example.com

Custom Certificates

User can supply custom signed certs or a CA for the management plane. By default, airctl will generate a private key and self-signed root CA. It will generate certificates for the management plane signed by this CA.

User supplied CA

A user can supply their own CA, which airctl will use to sign the management plane certs. Since the key is also required, it is recommended to use an intermediate CA. Airctl will add all the appropriate SANs to the certificates required by the management plane.

To supply a custom CA and private key, specify the following in airctl config:

caCertPath: <path to PEM encoded CA cert>

caKeyPath: <path to private key for CA>

User supplied Certs

It is also possible to directly specify the certificates used by the management plane. In this case, airctl will bypass CA generation and cert generation, and pass the cert/key directly as the TLS Secret into Kubernetes. To do so, make sure the above caCertPath and caKeyPath are empty, and specify the following config options instead:

certPath: <path to cert>

certKeyPath: <path to private key>

It is required to generate the certificates with the appropriate wildcard SANs and Key Usage:

• *.pf9.localnet
• *.custom.domain.net

The first, *.pf9.localnet is required for internal usage. The second depends on the shortname/FQDN used. For example if the management plane FQDN is "air99.platform9.net", then ensure the certificate has SANs for *.platform9.net.

In addition, ensure the following Key Usage extensions are enabled:

X509v3 extensions:                                                                               

          X509v3 Key Usage: critical                                                                     

              Digital Signature, Key Encipherment                                                         

          X509v3 Extended Key Usage:                                                                     

              TLS Web Server Authentication, TLS Web Client Authentication

Renewing Certs

The self-signed CA as well as certificates will expire in 3 years. These are renewed every time the management plane is upgraded.

To renew the certs outside of a management plane upgrade, please follow steps above to either specify a CA or certificates in the airctl config (or leave empty, to have airctl generate and self-sign everything), and run:

airctl advanced-ddu renew-certs --config /opt/pf9/airctl/conf/airctl.yaml