Install REST API and Horizon CertificateΒΆ

About this task

For secure communications, HTTPS should be enabled for OpenStack REST API and Horizon endpoints by configuring a certificate for these endpoints.


  • Obtain an Intermediate or Root CA-signed certificate and key from a trusted Intermediate or Root CA. The OpenStack certificate should be created with a wildcard SAN.

    For example:

    X509v3 extensions:
    X509v3 Subject Alternative Name:
    • To install an openstack certificate, the domain has to be added to the service-parameter openstack as prerequisite, for details see Update the Domain Name.

      ~(keystone_admin)$ system service-parameter-add openstack Helm
      | Property    | Value                                |
      | uuid        | 0459ede4-85e7-4767-aca9-d29e84f38bd4 |
      | service     | openstack                            |
      | section     | Helm                                 |
      | name        | endpoint_domain                      |
      | value       |                 |
      | personality | None                                 |
      | resource    | None                                 |
      ~(keystone_admin)$ system service-parameter-apply openstack
      Applying openstack service parameters
  • HTTPS must be enabled for StarlingX, see Configure REST API Applications and Web Administration Server Certificate.


  1. Put the PEM encoded versions of the OpenStack certificate and key in a single file (e.g. openstack-cert-key.pem), and put the certificate of the Root CA in a separate file (e.g. openstack-ca-cert.pem), then copy the files to the controller host.

  2. Install the certificate as the OpenStack REST API / Horizon Certificate.

    This will automatically update the required openstack Helm charts.

    ~(keystone_admin)$ system certificate-install -m ssl_ca openstack-ca-cert.pem
    ~(keystone_admin)$ system certificate-install -m openstack_ca openstack-ca-cert.pem
    ~(keystone_admin)$ system certificate-install -m openstack openstack-cert-key.pem
  3. Apply the Helm chart overrides containing the certificate changes.

    ~(keystone_admin)$ system application-apply stx-openstack
  4. Ensure port 443 is open in StarlingX firewall. For details see Modify Firewall Options.