AMP Workshop (July 25 & 26, 2017): Certificate management
At cluster creation a new certificate is created. It can be a valid certificate if a DNS domain is provided, or a self signed certificate otherwise. Being able to provide the domain before the creation of the core service would be an easy way to create the certificate with certbot, which is something we can't do anymore once haproxy is listening on port 443. If the generation fails (can happen if the DNS name has not been prepared correctly), it should revert to a self signed certificate.
For 0.13, we should probably keep it simple and only generate a self signed certificate, and then update the certificate (see below). This is inconvenient as it will be cumbersome to generate the certificate (switch the DNS to another IP, generate the certificate on the server with this IP, switch the DNS back to the real cluster).
The certificate will expire in 90 days, so there should be a way to be able to update it and apply it to the core services (haproxy and amplifier).
This topic is discussed in issue #1169