Certificate Management for Admin REST API Endpoints

All messaging between SystemControllers and Subclouds in the Distributed Cloud system uses the admin REST API service endpoints, which are all configured for secure HTTPS.

StarlingX supports automated HTTPS certificate renewal for Distributed Cloud admin endpoints.

Certificates on the SystemController

In a Distributed Cloud system, the HTTPS certificates for admin endpoints are managed by StarlingX internally.

Note

All renewal operations are automatic, and no user operation is required.

For admin endpoints, the SystemControllers in a Distributed Cloud system manages the following certificates:

  • DC-AdminEp-Root-CA certificate: This certificate expires in 1825 days (approximately 5 years). Renewal of this certificate starts 30 days prior to expiry.

    The Root CA certificate is renewed on the SystemController. When the certificate is renewed, StarlingX renews the intermediate CA certificates for all subclouds.

  • DC-AdminEp-Intermediate-CA certificate for ‘each’ subcloud: This certificate expires in 365 days. Renewal of this certificate starts 30 days prior to expiry. This certificate is used for all subclouds that are unmanaged.

  • DC-AdminEp-endpoint: This certificate expires in 180 days. Renewal of this certificate starts 30 days prior to expiry.

Certificates on the Subcloud

For admin endpoints, the subcloud controllers manage the following certificates:

  • DC-AdminEp-Intermediate-CA certificate: The intermediate CA certificate for a subcloud is renewed on the SystemController. It is sent to the subcloud using a Rest API. Therefore, a subcloud needs to be online to receive the renewed certificate.

    If the subcloud is offline at the time when the subcloud intermediate CA certificate is renewed, the subcloud status dc-cert displays “out-of-sync”. Certificate renewal continues once the subcloud is online. When renewal completes, the status changes to “in-sync”. Subclouds start admin endpoint certificate renewal once subcloud intermediate CA certificate renewal is complete.

  • DC-AdminEp certificate for the Subcloud: This certificate expires in 180 days. Renewal of this certificate starts 30 days prior to expiry.

    When the admin endpoint certificate is renewed, a new TLS certificate is generated. The new TLS certificate is used to provide TLS termination.

The SystemController audits subcloud AdminEp certificates daily. It also audits subcloud admin endpoints when a subcloud becomes online or managed. If the subcloud admin endpoint is “out-of-sync”, the SystemController initiates intermediate CA certificate renewal, to force subcloud renewal of the admin endpoint certificate.