Add Custom Certificate During Deployment
Warning
Custom certificates can be added during deployment for different services.
Setting common certificates for all the nodes of a service
The following services support custom certificates:
Common custom certificate for Chef Automate
To add a common custom certificate for all the nodes of the Chef Automate service, add the configurations given below in the config.toml
file before running the chef-automate deploy
command:
[automate.config]
enable_custom_certs = true
root_ca = "ADD_YOUR_ROOT_CA_CERT_HERE"
private_key = "ADD_YOUR_PRIVATE_KEY_HERE"
public_key = "ADD_YOUR_PUBLIC_KEY_HERE"
Common custom certificate for Chef Server
To add a common custom certificate for all the nodes of the Chef Server service, add the configurations given below in the config.toml
file before running the chef-automate deploy
command:
[chef_server.config]
enable_custom_certs = true
private_key = "ADD_YOUR_PRIVATE_KEY_HERE"
public_key = "ADD_YOUR_PUBLIC_KEY_HERE"
Common custom certificate for OpenSearch
To add a common custom certificate for all the nodes of the OpenSearch service, add the configurations given below in the config.toml
file before running the chef-automate deploy
command:
[opensearch.config]
enable_custom_certs = true
root_ca = "ADD_YOUR_ROOT_CA_CERT_HERE"
private_key = "ADD_YOUR_PRIVATE_KEY_HERE"
public_key = "ADD_YOUR_PUBLIC_KEY_HERE"
admin_key = "ADD_YOUR_ADMIN_KEY_HERE"
admin_cert = "ADD_YOUR_ADMIN_CERT_HERE"
Common custom certificate for PostgreSQL
To add a common custom certificate for all the nodes of the PostgreSQL service, add the configurations given below in the config.toml
file before running the chef-automate deploy
command:
[postgresql.config]
enable_custom_certs = true
root_ca = "ADD_YOUR_ROOT_CA_CERT_HERE"
private_key = "ADD_YOUR_PRIVATE_KEY_HERE"
public_key = "ADD_YOUR_PUBLIC_KEY_HERE"
Setting unique certificates for different nodes of a service
For on-prem installations, the following services support unique custom certificates for different nodes:
Note
- If you are using unique custom certificates for each node of a service, then you can skip the Public and Private Keys before the
certs_by_ip
section for that service. - If you are using unique custom certificates for each node of a service, then make sure to define keys for all the IPs for that service. For example, if you are using 3 nodes for PostgreSQL service, then you need to define keys for all 3 IPs using 3
certs_by_ip
sections. - If you have defined keys at both the places (common and inside the
certs_by_ip
section), then the keys defined in thecerts_by_ip
section will be used.
Unique custom certificates for Chef Automate
To add unique custom certificates for 2 the nodes of the Chef Automate service, add the configurations given below in the config.toml
file before running the chef-automate deploy
command:
[automate.config]
enable_custom_certs = true
root_ca = "ADD_YOUR_ROOT_CA_CERT_HERE"
[[automate.config.certs_by_ip]]
ip = "ADD_YOUR_FIRST_IP_ADDRESS_HERE"
private_key = "ADD_YOUR_PRIVATE_KEY_OF_FIRST_IP_ADDRESS_HERE"
public_key = "ADD_YOUR_PUBLIC_KEY_OF_FIRST_IP_ADDRESS_HERE"
[[automate.config.certs_by_ip]]
ip = "ADD_YOUR_SECOND_IP_ADDRESS_HERE"
private_key = "ADD_YOUR_PRIVATE_KEY_OF_SECOND_IP_ADDRESS_HERE"
public_key = "ADD_YOUR_PUBLIC_KEY_OF_SECOND_IP_ADDRESS_HERE"
Unique custom certificates for Chef Server
To add unique custom certificates for 2 the nodes of the Chef Server service, add the configurations given below in the config.toml
file before running the chef-automate deploy
command:
[chef_server.config]
enable_custom_certs = true
[[chef_server.config.certs_by_ip]]
ip = "ADD_YOUR_FIRST_IP_ADDRESS_HERE"
private_key = "ADD_YOUR_PRIVATE_KEY_OF_FIRST_IP_ADDRESS_HERE"
public_key = "ADD_YOUR_PUBLIC_KEY_OF_FIRST_IP_ADDRESS_HERE"
[[chef_server.config.certs_by_ip]]
ip = "ADD_YOUR_SECOND_IP_ADDRESS_HERE"
private_key = "ADD_YOUR_PRIVATE_KEY_OF_SECOND_IP_ADDRESS_HERE"
public_key = "ADD_YOUR_PUBLIC_KEY_OF_SECOND_IP_ADDRESS_HERE"
Unique custom certificates for OpenSearch
To add unique custom certificates for 3 of the nodes of the OpenSearch service, add the configurations given below in the config.toml
file before running the chef-automate deploy
command:
[opensearch.config]
enable_custom_certs = true
root_ca = "ADD_YOUR_ROOT_CA_CERT_HERE"
admin_key = "ADD_YOUR_ADMIN_KEY_HERE"
admin_cert = "ADD_YOUR_ADMIN_CERT_HERE"
[[opensearch.config.certs_by_ip]]
ip = "ADD_YOUR_FIRST_IP_ADDRESS_HERE"
private_key = "ADD_YOUR_PRIVATE_KEY_OF_FIRST_IP_ADDRESS_HERE"
public_key = "ADD_YOUR_PUBLIC_KEY_OF_FIRST_IP_ADDRESS_HERE"
[[opensearch.config.certs_by_ip]]
ip = "ADD_YOUR_SECOND_IP_ADDRESS_HERE"
private_key = "ADD_YOUR_PRIVATE_KEY_OF_SECOND_IP_ADDRESS_HERE"
public_key = "ADD_YOUR_PUBLIC_KEY_OF_SECOND_IP_ADDRESS_HERE"
[[opensearch.config.certs_by_ip]]
ip = "ADD_YOUR_THIRD_IP_ADDRESS_HERE"
private_key = "ADD_YOUR_PRIVATE_KEY_OF_THIRD_IP_ADDRESS_HERE"
public_key = "ADD_YOUR_PUBLIC_KEY_OF_THIRD_IP_ADDRESS_HERE"
Unique custom certificates for PostgreSQL
To add unique custom certificates for 3 of the nodes of the PostgreSQL service, add the configurations given below in the config.toml
file before running the chef-automate deploy
command:
[postgresql.config]
enable_custom_certs = true
root_ca = "ADD_YOUR_ROOT_CA_CERT_HERE"
[[postgresql.config.certs_by_ip]]
ip = "ADD_YOUR_FIRST_IP_ADDRESS_HERE"
private_key = "ADD_YOUR_PRIVATE_KEY_OF_FIRST_IP_ADDRESS_HERE"
public_key = "ADD_YOUR_PUBLIC_KEY_OF_FIRST_IP_ADDRESS_HERE"
[[postgresql.config.certs_by_ip]]
ip = "ADD_YOUR_SECOND_IP_ADDRESS_HERE"
private_key = "ADD_YOUR_PRIVATE_KEY_OF_SECOND_IP_ADDRESS_HERE"
public_key = "ADD_YOUR_PUBLIC_KEY_OF_SECOND_IP_ADDRESS_HERE"
[[postgresql.config.certs_by_ip]]
ip = "ADD_YOUR_THIRD_IP_ADDRESS_HERE"
private_key = "ADD_YOUR_PRIVATE_KEY_OF_THIRD_IP_ADDRESS_HERE"
public_key = "ADD_YOUR_PUBLIC_KEY_OF_THIRD_IP_ADDRESS_HERE"
Was this page helpful?