search string side menu

ELMA365 On-Premises > Prepare infrastructure > TLS/SSL certificates / Create a secret with a certificate for HTTPS operation

Create a secret with a certificate for HTTPS operation

You can create a secret with a certificate for HTTPS operation using one of the following options:

Installation via the internet

Method 1. Use a certificate issued by a trusted CA

To create a secret with a certificate for HTTPS operation, you can either purchase a certificate issued by one of the trusted certificate authorities or use an existing one.

начало внимание

The secret with the certificate must be created in the same namespace in which the target application is running or will be installed, for which the certificate is being issued.

For the ELMA365 application, the standard namespace is elma365.

For built-in databases the standard namespace is elma365-dbs.

конец внимание

In the namespace with the target application, create a tls-type secret with the name elma365-onpremise-tls by executing the command:

kubectl create secret tls elma365-onpremise-tls \
--cert=path/to/cert/file \
--key=path/to/key/file [-n namespace]

where:

  • --cert is the path to the file with an open certificate of the .pem or .crt format;
  • --key is the path to the file with a private key.

Method 2. Use Let’s Encrypt certificate

For more information on issuing a certificate, refer to Create Let’s Encrypt certificate.

Installation without internet access

Method 1: Use a self-signed certificate or a certificate issued by a local CA

You can use an existing certificate issued by a local certificate authority or create a self-signed certificate using OpenSSL. For more information, refer to Create SSL certificates for TLS/SSL with OpenSSL.

начало внимание

The secret with the certificate must be created in the same namespace in which the target application is running or will be installed, for which the certificate is being issued.

For the ELMA365 application, the standard namespace is elma365.

For built-in databases the standard namespace is elma365-dbs.

конец внимание

In the namespace with the target application, create a tls-type secret with the name elma365-onpremise-tls by executing the command:

kubectl create secret tls elma365-onpremise-tls \
--cert=path/to/cert/file \
--key=path/to/key/file [-n namespace]

where:

  • --cert is the path to the file with an open certificate of the .pem or .crt format;
  • --key is the path to the file with a private key.

Configuring trust support for a user CA certificate issued by a local CA

If ELMA365 and embedded databases require support for trusting a user CA certificate, install the Kyverno add-on module. Kyverno allows automatically adding a volume containing custom CA certificates to containers with a specific label.

 

If trust support is only required for the ELMA365 application, it can be enabled in the ELMA365 helm chart. To learn more, see Enable network encryption (TLS) in ELMA365 Enterprise. To enablesupport in the helm-chart follow these steps:

    1. Create a ConfigMap from the CA certificate file.
    2. On step 2 of Enable network encryption (TLS) in ELMA365 Enterprise when filling in the configuration file values-elma365.yaml specify the name of the created ConfigMap in parameter configCA.

In the namespace where the ELMA365 application is installed, create a ConfigMap from the CA certificate file with the name elma365-onpremise-ca, by executing the command:

kubectl create configmap elma365-onpremise-ca \
--from-file=path/to/rootCA [-n namespace]

Method 2. Use a self-signed certificate with Cert-manager

For more information on issuing a certificate, refer to Create SSL certificates for TLS/SSL using Cert-manager.

downloading-images-deckhouse.html certificate-lets-encrypt.html

Found a typo? Highlight the text, press ctrl + enter and notify us