Home > user > design > SSL Certificate Component

SSL Certificate Component

The certificate component is part of every platform and can be used to add SSL support to the platform e.g. Tomcat, Apache or Elasticsearch. The lb-certificate component is part of all platforms that provide redundancy via load balancing and adds SSL support for these scenarios.

Both components share the setup and allow you to configure a number of details about your SSL certificates. Locate the platform to which you want to add SSL certificate support and press the + button beside the certificate or the lb-certificate component as desired and provide the necessary details:

Attributes

Name: name for the certificate
Auto Generate: flag to enable automatic certificate generation
Key: certificate key, .key file content
Certificate: certificate content, .crt file content
SSL CA Certificate Key: certificate of the certificate authority
Pass Phrase: pass phrase for the certificate
Convert to PKCS12: flag to determine if the certificate should be converted to the PKCS12 archive format
Time remaining to expiry: the time remaining until the certificate expires and needs renewal, supports y (year), m (month) and d (day) vaules such as 3m, this data is taken into account for monitoring and notifications so users are alerted about upcoming certificate expiries.
Directory path: path where the certificate file is saved

These tips will help determining the correct certificate when receiving the certificate as a pem file:

  • Certificate is the first section from the certificate pem file.
  • SSL CA Certificate Key is comprised of section 2 and 3 from the certificate pem file.
  • Key is the 4th section from your certificate pem file starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE----- inclusive.
  • Use openSSL rsa -in filename.pem -out filename.key to create a key file from the pem file to determine the SSL Certificate Key field value.

Automatic Certificate Generation

Automatic generation and provisioning of certificates can be enabled with the Auto Generate flag. It relies on the integration with a certificate management web service as a cloud service as part of the OneOps deployment modeled.

Common Name: a single word string that is used as part of a unique identifier for the provisioned certificate
Subject Alternative Name: allows you to insert values into the certificates as subject alternative names
External (Internet Facing) and Domain Name: enable the setting and add a domain name and the value is passed to the service so that it can be inserted into the certificate

Once generated, the certificate is downloaded and its data is used for the values of the attributes Key, Certificate, SSL CA Certificate Key and Time remaining to expiry.

Monitoring

A Nagios monitoring script is generated for the time remaining until the expiry in each environment for certificates. The created monitoring data is available on the monitors tab of the certificate component in the platform deployed in an environment.

The monitoring triggers notifications when the expiry date is within the next month and alerts are raised about the expiry. If you change the monitor thresholds’ State from Notify Only to Defunct, the certificate expiry triggers an automatic replacement of the certificate with a new auto-provisioned certificate.

Monitoring and automatic replacement is not supported for non-managed certificates like the lb-certificates.