How To Use Custom Certs In The Management Plane

Problem

As part of security enhancements, we would need to use the custom certs in the Platform9 Management Plane.

Environment

Platform9 Edge Cloud - LTS-2 and Higher.

Procedure

Steps to use your own CA and certs that Platform9 have used.

Note that depending on the CA you are using some steps may vary:

a. Create a csr.conf file with values based on our env:

[req]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no

[req_distinguished_name]
C = US
ST = CA
L = Mountain View
OU = Testing
CN = airctl-1-2662399-213.pf9.localnet # DU FQDN

[req_ext]
subjectAltName = @alt_names

[alt_names] 
DNS.1 = *.pf9.localnet # must have for now
DNS.2 = *.localnet  # this and following values should be based on the DU FQDN
DNS.3 = *.pf9.localnet
DNS.4 = *.airctl-1-2662399-213.pf9.localnet

b. Create CA key and certs:

# openssl req -nodes -newkey rsa:4096 -x509  -keyout ${HOME}/ca.key.orig -out ${HOME}/ca.cert.pem -config ${HOME}/csr.conf

c. Remove passphrase from key

# openssl rsa -in ${HOME}/ca.key.orig -out ${HOME}/ca.key

d. Add entries of CA key and cert to airctl.conf

# yq w {AIRCTL_CONF} caCertPath /home/{self.SSH_USER}/ca.cert.pem -i
# yq w {AIRCTL_CONF} caKeyPath /home/{self.SSH_USER}/ca.key -i

e. Add CA cert to trust store:

# sudo update-ca-trust force-enable
# sudo ln -s /home/{SSH_USER}/ca.cert.pem /etc/pki/ca-trust/source/anchors/airctl-ca.pem
# sudo update-ca-trust extract

If you want to just use external CA and let airctl generate the certs for DU, this is enough. If you want to generate certs for DU as well, you can continue with following steps.

f. Generate new key for DU and generate cert signing request:

# openssl req -out ${HOME}/server.csr -newkey rsa:4096 -nodes -keyout ${HOME}/server.key.orig -config ${HOME}/csr.conf

g. Sign the cert using CA:

# openssl x509 -req -days 365 -in ${HOME}/server.csr -CA ${HOME}/ca.cert.pem -CAkey ${HOME}/ca.key -CAcreateserial -out ${HOME}/server.crt -extensions req_ext -extfile ${HOME}/csr.conf

h. Remove passphrase for key

# openssl rsa -in server.key.orig -out server.key

i. Add entries for key/cert in airctl.conf

# yq w {AIRCTL_CONF} certPath /home/{SSH_USER}/server.crt -i
# yq w {AIRCTL_CONF} certKeyPath /home/{SSH_USER}/server.key -i

Additional Information

NOTES:

There is no impact if we do not use the custom certs, Platform9 will generate self signed certs if no user-provided certs are available.
It is possible to implement custom certs in the current deployment by updating the deployment with the custom certs using https://platform9.com/docs/v5.7/PEC/custom-fqdn-and-certificates#renewing-certs

PreviousMonitoring Cert and CA expiry on LTS1 Deployments NextHow To Re-generate Certificates on LTS1 patch#13 if Hostagent Certificates are Expired

Last updated 4 months ago

Good afternoon

hashtagProblem

hashtagEnvironment

hashtagProcedure

hashtagAdditional Information

Problem

Environment

Procedure

Additional Information