You can specify custom certificates for the web console and for the CLI through the
servingInfo section of the master
A default certificate must be configured in the
servingInfo.keyFile configuration sections in addition to
namedCertificates section should be configured only for the host name
associated with the
oauthConfig.assetPublicURL settings in the /etc/origin/master/master-config.yaml file.
Using a custom serving certificate for
the host name associated with the
masterURL will result in TLS errors as
infrastructure components will attempt to contact the master API using the
Custom Certificates Configuration
certFile: master.server.crt (1)
keyFile: master.server.key (1)
- certFile: wildcard.example.com.crt (2)
keyFile: wildcard.example.com.key (2)
||Path to certificate and key files for the CLI and other API calls.
||Path to certificate and key files for the web console.
openshift_master_cluster_hostname parameters in the Ansible inventory file, by default
/etc/ansible/hosts, must be different. If they are the same, the named certificates will fail and you will need to re-install them.
# Native HA with External LB VIPs
This approach allows you to take advantage of the self-signed certificates generated by OKD and add custom trusted certificates to individual components as needed.
Note that the internal infrastructure certificates remain self-signed, which might be perceived as bad practice by some security or PKI teams. However, any risk here is minimal, as the only clients that trust these certificates are other components within the cluster. All external users and systems use custom trusted certificates.
Relative paths are resolved based on the location of the master configuration file. Restart
the server to pick up the configuration changes.