Set up SSL certificates

Overview

This topic explains how to set up Secure Sockets Layer (SSL) certificates as part of the SaltStack Enterprise post-installation process.

Prerequisites

Setting up the SSL certificates is one post-installation step in a series of several steps that should be followed in a specific order. First, complete one of the installation scenarios and then read the following post-installation topics:

How to set up SSL certificates

Setting up SSL certificates is optional when installing SaltStack Enterprise, but recommended.

To create the SSL certificates:

  1. Install pyOpenSSL.

    sudo yum install pyOpenSSL
    
    zypper in python-pyOpenSSL
    
  2. Create and set permissions for the certificate folder for RaaS.

    sudo mkdir -p /etc/raas/pki
    sudo chown raas:raas /etc/raas/pki
    sudo chmod 750 /etc/raas/pki
    
  3. Generate keys for RaaS using salt, or provide your own.

    sudo salt-call --local tls.create_self_signed_cert tls_dir=raas
    sudo chown raas:raas /etc/pki/raas/certs/localhost.crt
    sudo chown raas:raas /etc/pki/raas/certs/localhost.key
    sudo chmod 400 /etc/pki/raas/certs/localhost.crt
    sudo chmod 400 /etc/pki/raas/certs/localhost.key
    
  4. To enable SSL connections to Enterprise Console, generate a PEM-encoded SSL certificate or ensure that you have access to an existing PEM-encoded certificate.

  5. Save the .crt and .key files you generated in the previous step to /etc/pki/raas/certs on the RaaS server.

  6. Update the RaaS configuration by opening /etc/raas/raas in a text editor. Configure the following values, replacing <filename> with your SSL certificate filename:

    tls_crt: /etc/pki/raas/certs/<filename>.crt
    tls_key: /etc/pki/raas/certs/<filename>.key
    port: 443
    
  7. Restart the Enterprise API service.

    sudo systemctl restart raas
    
  8. Verify the Enterprise API is running.

    sudo systemctl status raas
    
  9. Confirm that you can connect to the web console in a web browser.

    • url: https://your_raas_server/
    • Username: root
    • Password: salt

Your SSL certificates for SaltStack Enterprise are now set up.

Updating SSL certificates

Instructions for updating SSL certificates for SaltStack Enterprise are available at the SaltStack Support knowledge base. For more information, see How to update SSL certificates for SaltStack Enterprise.

Next steps

After setting up SSL certificates, you must complete additional post-installation steps. If you are a SaltStack Comply and/or SaltStack Protect customer, the next step is to set up these services. For more information, see: