Set up SSL certificates¶
This page explains how to set up Secure Sockets Layer (SSL) certificates as part of the SaltStack Enterprise post-installation process.
Setting up the SSL certificates is one post-installation step in a series of several steps that should be followed in a specific order. First, complete one of the installation scenarios and then read the following post-installation pages:
- Install the license key
- Install and configure the Salt Master plugin
- Log in for the first time and change default credentials
- Accept the Salt Master key and back up data
How to set up SSL certificates¶
Setting up SSL certificates is optional when installing SaltStack Enterprise, but recommended.
To create the SSL certificates:
Create and set permissions for the certificate folder for the RaaS service.
sudo mkdir -p /etc/raas/pki sudo chown raas:raas /etc/raas/pki sudo chmod 750 /etc/raas/pki
Generate keys for the RaaS service using Salt, or provide your own.
sudo salt-call --local tls.create_self_signed_cert tls_dir=raas sudo chown raas:raas /etc/pki/raas/certs/localhost.crt sudo chown raas:raas /etc/pki/raas/certs/localhost.key sudo chmod 400 /etc/pki/raas/certs/localhost.crt sudo chmod 400 /etc/pki/raas/certs/localhost.key
To enable SSL connections to Enterprise Console, generate a PEM-encoded SSL certificate or ensure that you have access to an existing PEM-encoded certificate.
.keyfiles you generated in the previous step to
/etc/pki/raas/certson the Enterprise API (RaaS) node.
Update the |raas-service configuration by opening
/etc/raas/raasin a text editor. Configure the following values, replacing
<filename>with your SSL certificate filename:
tls_crt: /etc/pki/raas/certs/<filename>.crt tls_key: /etc/pki/raas/certs/<filename>.key port: 443
Restart the RaaS service.
sudo systemctl restart raas
Verify the RaaS service is running.
sudo systemctl status raas
Confirm that you can connect to the web console in a web browser, replacing the
urlvalue with the DNS name or IP address of the Enterprise API (RaaS) node.
Your SSL certificates for SaltStack Enterprise are now set up.
Updating SSL certificates¶
Instructions for updating SSL certificates for SaltStack Enterprise are available at the SaltStack Support knowledge base. For more information, see How to update SSL certificates for SaltStack Enterprise.
After setting up SSL certificates, you must complete additional post-installation steps. If you are a SaltStack Comply, and/or SaltStack Protect customer, or if you want to integrate with Splunk, the next step is to set up these services. For more information, see: