Skip to content

Certificate management

Marcin Maciaszczyk edited this page Sep 21, 2017 · 9 revisions

This document describes shortly how to get certificates, that can be used to enable HTTPS in Dashboard. There are two steps required to do it:

  1. Generate certificates.
    1. Public trusted CA.
    2. Self-signed certificate.
  2. Pass them to Dashboard.
    1. In case you are following Recommended Setup to deploy Dashboard just generate certificates and follow it.
    2. In any other case you need to alter Dashboard's YAML deploy file and pass --tls-key-file and --tls-cert-file flags to Dashboard. More information about how to mount them into the pods can be found here.

Public trusted Certificate Authority

There are many public and free certificate providers to choose from. One of the best trusted certificate providers is Let's encrypt. Everything you need to know about how to generate certificates signed by their trusted CA can be found here.

Self-signed certificate

In case you want to generate certificates on your own you need library like OpenSSL that will help you do that.

Generate private key and certificate signing request

A private key and certificate signing request are required to create an SSL certificate. These can be generated with a few simple commands. When the openssl req command asks for a “challenge password”, just press return, leaving the password empty. This password is used by Certificate Authorities to authenticate the certificate owner when they want to revoke their certificate. Since this is a self-signed certificate, there’s no way to revoke it via CRL (Certificate Revocation List).

$ openssl genrsa -des3 -passout pass:x -out dashboard.pass.key 2048
$ openssl rsa -passin pass:x -in dashboard.pass.key -out dashboard.key
# Writing RSA key
$ rm dashboard.pass.key
$ openssl req -new -key dashboard.key -out dashboard.csr
Country Name (2 letter code) [AU]: US
A challenge password []:

Generate SSL certificate

The self-signed SSL certificate is generated from the dashboard.key private key and dashboard.csr files.

$ openssl x509 -req -sha256 -days 365 -in dashboard.csr -signkey dashboard.key -out dashboard.crt

The dashboard.crt file is your certificate suitable for use with Dashboard along with the dashboard.key private key.

You can’t perform that action at this time.