How To Use Custom Certs In The Management Plane

Problem

As part of security enhancements, we would need to use the custom certs in the Platform9 Management Plane.

Environment

Platform9 Edge Cloud - LTS-2 and Higher.

Procedure

Steps to use your own CA and certs that Platform9 have used.

Note that depending on the CA you are using some steps may vary:

a. Create a csr.conf file with values based on our env:

csr.conf
    
​x
 
[req]default_bits = 4096distinguished_name = req_distinguished_namereq_extensions = req_extprompt = no​[req_distinguished_name]C = USST = CAL = Mountain ViewOU = TestingCN = airctl-1-2662399-213.pf9.localnet # DU FQDN​[req_ext]subjectAltName = @alt_names​[alt_names] DNS.1 = *.pf9.localnet # must have for nowDNS.2 = *.localnet  # this and following values should be based on the DU FQDNDNS.3 = *.pf9.localnetDNS.4 = *.airctl-1-2662399-213.pf9.localnet
Copy

b. Create CA key and certs:

Openssl
    
# openssl req -nodes -newkey rsa:4096 -x509  -keyout ${HOME}/ca.key.orig -out ${HOME}/ca.cert.pem -config ${HOME}/csr.conf
Copy

c. Remove passphrase from key

Openssl
    
 
# openssl rsa -in ${HOME}/ca.key.orig -out ${HOME}/ca.key
Copy

d. Add entries of CA key and cert to airctl.conf

CA entries
    
 
# yq w {AIRCTL_CONF} caCertPath /home/{self.SSH_USER}/ca.cert.pem -i# yq w {AIRCTL_CONF} caKeyPath /home/{self.SSH_USER}/ca.key -i
Copy

e. Add CA cert to trust store:

CA cert
    
 
# sudo update-ca-trust force-enable# sudo ln -s /home/{SSH_USER}/ca.cert.pem /etc/pki/ca-trust/source/anchors/airctl-ca.pem# sudo update-ca-trust extract
Copy

If you want to just use external CA and let airctl generate the certs for DU, this is enough. If you want to generate certs for DU as well, you can continue with following steps.

f. Generate new key for DU and generate cert signing request:

Openssl
    
 
# openssl req -out ${HOME}/server.csr -newkey rsa:4096 -nodes -keyout ${HOME}/server.key.orig -config ${HOME}/csr.conf
Copy

g. Sign the cert using CA:

Sign cert
    
# openssl x509 -req -days 365 -in ${HOME}/server.csr -CA ${HOME}/ca.cert.pem -CAkey ${HOME}/ca.key -CAcreateserial -out ${HOME}/server.crt -extensions req_ext -extfile ${HOME}/csr.conf
Copy

h. Remove passphrase for key

Openssl
    
 
# openssl rsa -in server.key.orig -out server.key
Copy

i. Add entries for key/cert in airctl.conf

Javascript
    
 
# yq w {AIRCTL_CONF} certPath /home/{SSH_USER}/server.crt -i# yq w {AIRCTL_CONF} certKeyPath /home/{SSH_USER}/server.key -i
Copy

Additional Information

NOTES:

There is no impact if we do not use the custom certs, Platform9 will generate self signed certs if no user-provided certs are available.
It is possible to implement custom certs in the current deployment by updating the deployment with the custom certs using https://platform9.com/docs/v5.7/PEC/custom-fqdn-and-certificates#renewing-certs

Last updated on

Was this page helpful?