Install REST API and Horizon CertificateΒΆ

About this task

For secure communications, HTTPS should be enabled for OpenStack REST API and Horizon endpoints by configuring a certificate for these endpoints.

Prerequisites

  • Obtain an Intermediate or Root CA-signed certificate and key from a trusted Intermediate or Root CA. The OpenStack certificate should be created with a wildcard SAN.

    For example:

    X509v3 extensions:
    X509v3 Subject Alternative Name:
    DNS:*.west2.us.example.com
    
    • To install an openstack certificate, the domain has to be added to the service-parameter openstack as prerequisite, for details see Update the Domain Name.

      ~(keystone_admin)$ system service-parameter-add openstack Helm endpoint_domain=west2.us.example.com
      
      +-------------+--------------------------------------+
      | Property    | Value                                |
      +-------------+--------------------------------------+
      | uuid        | 0459ede4-85e7-4767-aca9-d29e84f38bd4 |
      | service     | openstack                            |
      | section     | Helm                                 |
      | name        | endpoint_domain                      |
      | value       | west2.us.example.com                 |
      | personality | None                                 |
      | resource    | None                                 |
      +-------------+--------------------------------------+
      
      ~(keystone_admin)$ system service-parameter-apply openstack
      Applying openstack service parameters
      
  • HTTPS must be enabled for StarlingX, see Enable HTTPS Access for StarlingX REST and Web Server Endpoints.

Procedure

  1. Put the PEM encoded versions of the OpenStack certificate and key in a single file (e.g. openstack-cert-key.pem), and put the certificate of the Root CA in a separate file (e.g. openstack-ca-cert.pem), then copy the files to the controller host.

  2. Install the certificate as the OpenStack REST API / Horizon Certificate.

    This will automatically update the required openstack Helm charts.

    ~(keystone_admin)$ system certificate-install -m openstack <certificate_file>
    

    where <certificate_file> is a pem file containing both the certificate and private key.

    Note

    The OpenStack certificate must be created with wildcard SAN.

    For example, to create a certificate for FQDN: west2.us.example.com, the following entry must be included in the certificate:

    X509v3 extensions:
    X509v3 Subject Alternative Name:
    DNS:*.west2.us.example.com
    

    ~(keystone_admin)$ system certificate-install -m ssl_ca openstack-ca-cert.pem ~(keystone_admin)$ system certificate-install -m openstack_ca openstack-ca-cert.pem ~(keystone_admin)$ system certificate-install -m openstack openstack-cert-key.pem

  3. Apply the Helm chart overrides containing the certificate changes.

    ~(keystone_admin)$ system application-apply stx-openstack
  4. Ensure port 443 is open in StarlingX firewall. For details see Modify Firewall Options.