Certificate management

Content Intelligence Administration Guide

Version
3.0.x
File Size
465 KB
Audience
anonymous
Part Number
MK-HCI000-19

Your HCI system uses SSL to provide its security. To enable SSL security, you first need a valid SSL server certificate or chain of certificates. Your system comes with its own self-signed SSL server certificate, which is generated and installed automatically when the system is installed. This certificate is not automatically trusted by web browsers.

You can choose to trust this self-signed certificate to replace the certificate with either one from a certificate authority (CA) or one that you create yourself. You can also have the system generate and install a new self-signed SSL server certificate. You do this, for example, if the current certificate is close to expiring and you are waiting to retrieve a new one from your CA.

Two types of certificates are stored on your Kubernetes cluster: system and client.

  • Client certificates are kept in a truststore and are used to connect to external resources. They do not contain sensitive information.
  • System certificates are kept in a keystore and are used when an external resource connects to HCI. They contain the secret key for the system.

On your initial deployment of HCI, Ingress will point to a nonfunctional transport layer security (TLS) secret with empty data. Likewise, if you access an HTTPS endpoint prior to uploading a certificate, a fake Automatic Certificate Management Environment (ACME) certificate is created as a placeholder by Ingress. Once you have successfully uploaded your own server certificate through the API, the TLS secret is automatically updated.

In order for your certificate to validate the correct hostname, the commonName (CN) of your uploaded server certificate must match the CN of the Ingress host. Once successful, you will need to close and re-open your browser in order for the new certificate to take affect.