Perform the following procedure on the UCP Advisor VM.
- The CA-signed certificate must be in PEM format.
You can generate a CA-signed certificate in PEM format using the
.pfx file by logging on to the
UCP Advisor VM as
ucpadmin, and then running the following command:
openssl pkcs12 -in certificate.pfx -nokeys -out certificate.pem
- The private key must be a CA-signed certificate (with a .key file extension).
You can generate the private key using the
.pfx file by logging on to the
UCP Advisor VM as
ucpadmin, and then running the following commands:
openssl pkcs12 -in certificate.pfx -nocerts -out key.pem -nodes
openssl rsa -in key.pem -out certificate.key
- Retrieve the Cluster-IP-Kong-admin of the Kong pod. Enter:
kubectl get svc -n ucp |grep admin
Example:
$ kubectl get svc -n ucp |grep admin
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
...
ucpadvisor-kong-admin NodePort 10.96.2.33 <none> 8444:30648/TCP
...
...
- Import the CA-signed certificate to the Kong pod. Enter:
curl -k --http1.1 -X POST \
https://Cluster-IP-kong-admin:8444/certificates \
-H 'Content-Type: multipart/form-data' \
-F cert=@./certificate.pem \
-F key=@./certificate.key \
-F snis[]=58-79.sie.hds.com
Where:
- cert represents the CA-signed certificate.
- key represents the private key of the certificate.
- snis represents the domain names or CNs used in the CA-signed certificate.
Note: In this example, snis represents the domain name of the server running the UCP Advisor application.
Example output:
{"key_alt":null,"tags":null,"created_at":1645224386,"cert":"-----BEGIN
CERTIFICATE----- .......
----END CERTIFICATE-----\n","cert_alt":null,"id":"817f6225-4596-463f-845c-
7a8739308cc3","snis":["58-79.sie.hds.com"],"key":"-----BEGIN RSA PRIVATE KEY----
- ......
-----END RSA PRIVATE KEY-----\n"}
Launch UCP Advisor. If the login screen appears without a security warning, then the new CA-signed certificate has been applied.