The certificate component is part of every platform and can be used to add SSL support to the platform e.g. Tomcat, Apache or Elasticsearch. The lb-certificate component is part of all platforms that provide redundancy via load balancing and adds SSL support for these scenarios.
Both components share the setup and allow you to configure a number of details about your SSL certificates. Locate the platform to which you want to add SSL certificate support and press the + button beside the certificate or the lb-certificate component as desired and provide the necessary details:
Name: name for the certificate
Auto Generate: flag to enable automatic certificate generation
Key: certificate key, .key
file content
Certificate: certificate content, .crt
file content
SSL CA Certificate Key: certificate of the certificate authority
Pass Phrase: pass phrase for the certificate
Convert to PKCS12: flag to determine if the certificate should be converted to the PKCS12 archive format
Time remaining to expiry: the time remaining until the certificate expires and needs renewal, supports y (year),
m (month) and d (day) values such as 3m
, this data is taken into account for monitoring and notifications so users
are alerted about upcoming certificate expiration.
Directory path: path where the certificate file is saved
These tips will help determining the correct certificate when receiving the
certificate as a pem
file:
-----BEGIN CERTIFICATE-----
and ending with -----END CERTIFICATE-----
inclusive.openSSL rsa -in filename.pem -out filename.key
to create a key file from
the pem file to determine the SSL Certificate Key field value.Automatic generation and provisioning of certificates can be enabled with the Auto Generate flag. It relies on the integration with a certificate management web service as a cloud service as part of the OneOps deployment modeled.
Common Name: Full common name of the certificate to be provisioned. Maximum length is 64 characters
Subject Alternative Name: allows you to insert values into the certificates as
subject alternative names. This is an optional attribute and accepts
multiple SANs
External (Internet Facing) and Domain Name: enable the setting and add a domain name and the value is passed to the service so that it can be inserted into the certificate. An example domain attribute value: “walmart.com”</br>
Pass Phrase: certificate download password. Must be minimum 12 and maximum 20 characters, At least 1 upper case and 1 lower case letter, special character and a number
Once generated, the certificate is downloaded and its data is used for the values of the attributes Key, Certificate, SSL CA Certificate Key and Time remaining to expiry.
A Nagios monitoring script is generated for the time remaining until the expiry in each environment for certificates. The created monitoring data is available on the monitors tab of the certificate component in the platform deployed in an environment.
The monitoring triggers notifications when the expiry date is within the next month and alerts are raised about the expiry. If you change the monitor thresholds’ State from Notify Only to Defunct, the certificate expiry triggers an automatic replacement of the certificate with a new auto-provisioned certificate.
Monitoring and automatic replacement is not supported for non-managed
certificates like the lb-certificates
.