3.1 KiB
Install REST API and Horizon Certificate
For secure communications, HTTPS should be enabled for OpenStack REST API and Horizon endpoints by configuring a certificate for these endpoints.
Obtain an Intermediate or Root -signed certificate and key from a trusted Intermediate or Root . The OpenStack certificate should be created with a wildcard SAN.
For example:
X509v3 extensions: X509v3 Subject Alternative Name: DNS:*.west2.us.example.comTo install an openstack certificate, the domain has to be added to the service-parameter openstack as prerequisite, for details see
Update the Domain Name <update-the-domain-name>.~(keystone_admin)$ system service-parameter-add openstack Helm endpoint_domain=west2.us.example.com +-------------+--------------------------------------+ | Property | Value | +-------------+--------------------------------------+ | uuid | 0459ede4-85e7-4767-aca9-d29e84f38bd4 | | service | openstack | | section | Helm | | name | endpoint_domain | | value | west2.us.example.com | | personality | None | | resource | None | +-------------+--------------------------------------+ ~(keystone_admin)$ system service-parameter-apply openstack Applying openstack service parameters
HTTPS must be enabled for , see .
Put the encoded versions of the OpenStack certificate and key in a single file (e.g.
openstack-cert-key.pem), and put the certificate of the Root in a separate file (e.g.openstack-ca-cert.pem), then copy the files to the controller host.Install the certificate as the OpenStack REST API / Horizon Certificate.
This will automatically update the required openstack Helm charts.
~(keystone_admin)$ system ca-certificate-install openstack-ca-cert.pem ~(keystone_admin)$ system os-certificate-install -m ca openstack-ca-cert.pem ~(keystone_admin)$ system os-certificate-install -m server openstack-cert-key.pemApply the Helm chart overrides containing the certificate changes.
~(keystone_admin)$ system application-apply -openstack
Ensure port 443 is open in firewall. For details see .