Generating a self-signed server certificate for the management interface
You can use a script to generate a self-signed server certificate for management API clients that require strict hostname validation.
-
You must have specific access permissions.
-
You must have the
Passwords.txt
file.
In production environments, you should use a certificate that is signed by a known Certificate Authority (CA). Certificates signed by a CA can be rotated non-disruptively. They are also more secure because they provide better protection against man-in-the-middle attacks.
-
Obtain the fully qualified domain name (FQDN) of each Admin Node.
-
Log in to the primary Admin Node:
-
Enter the following command:
ssh admin@primary_Admin_Node_IP
-
Enter the password listed in the
Passwords.txt
file. -
Enter the following command to switch to root:
su -
-
Enter the password listed in the
Passwords.txt
file.When you are logged in as root, the prompt changes from
$
to#
.
-
-
Configure StorageGRID with a new self-signed certificate.
$ sudo make-certificate --domains wildcard-admin-node-fqdn --type management
-
For
--domains
, use wildcards to represent the fully qualified domain names of all Admin Nodes. For example,*.ui.storagegrid.example.com
uses the * wildcard to representadmin1.ui.storagegrid.example.com
andadmin2.ui.storagegrid.example.com
. -
Set
--type
tomanagement
to configure the certificate used by Grid Manager and Tenant Manager. -
By default, generated certificates are valid for one year (365 days) and must be recreated before they expire. You can use the
--days
argument to override the default validity period.A certificate's validity period begins when make-certificate
is run. You must ensure the management API client is synchronized to the same time source as StorageGRID; otherwise, the client might reject the certificate.$ sudo make-certificate --domains *.ui.storagegrid.example.com --type management --days 365
The resulting output contains the public certificate needed by your management API client.
-
-
Select and copy the certificate.
Include the BEGIN and the END tags in your selection.
-
Log out of the command shell.
$ exit
-
Confirm the certificate was configured:
-
Access the Grid Manager.
-
Select Configuration > Server Certificates > Management Interface Server Certificate.
-
-
Configure your management API client to use the public certificate you copied. Include the BEGIN and END tags.