Get A Certificate¶
Before you start¶
Goal
- Get a certificate to enable Altair SLC Hub to use HTTPS for external communication.
By default, the Altair SLC Hub server is configured to use HTTP for external communication, which is not secure. In a production system, it is strongly recommended that you enable HTTPS for the external communication.
Note
All traffic in the Altair SLC Hub cluster between the Hub server host and any worker node hosts is secured by default. This section relates to securing the external traffic between a client browsers and the Hub, or when making REST API calls to the Hub.
Note
The Hub can only be configured to use HTTP or HTTPS, it is not possible to configure Hub to serve both HTTP and HTTPS. Once configured for HTTPS, requests made to HTTP will automatically redirect to HTTPS.
Generate a certificate¶
To enable HTTPS, a certificate and private key are required. Some providers will give you a certificate and key suitable for serving HTTPS for a Fully Qualified Domain Name you own. You can see the address the hub is serving by running the following command:
hubctl config print ingress.hostname
It may be preferable to generate a certificate signing request and private key locally, and then send the certificate signing request to the Certificating Authority.
Note
The hostname referenced in the certificate must be the same as the hostname in the ingress.url
configuration setting. Use hubctl config print ingress.url
to view the configuration setting.
Note
The private key must not have a password. There is no option in the Altair SLC Hub configuration to specify a password to use when reading the private key file.
Generating a Certificate Signing Request¶
In order to help get a certificate for the hub you can generate a certificate signing request using the command
hubctl generate externalcsr
This command will generate certificate signing request and private key files ([var directory]/ca/public/external/external.csr.pem
and [var directory]/ca/public/external/external.key.pem
respectively).
Generating a self-signed certificate¶
A self-signed certificate may be setup to test secure access for HTTP, Altair Analytics Workbench or the Altair SLC Hub Excel Add-in to a Hub instance. While use for testing is appropriate, a self-signed certificate is not recommended for production use of Hub.
You can generate a self-signed certificate in your preferred way, however the certificate must contain the Subject Alternative Name (SAN) extension for compatibility with browsers and the workbench.
You can generate a self-signed certificate using the following command:
hubctl generate externalssc
This command will generate certificate and private key files ([var directory]/ca/public/external/external.cert.pem
and [var directory]/ca/public/external/external.key.pem
respectively).