Skip to content

Get A Certificate

Before you start

Goal

  • Get a certificate to enable Altair SLC Hub to use HTTPS for external communication.

By default, the Altair SLC Hub server is configured to use HTTP for external communication, which is not secure. In a production system, it is strongly recommended that you enable HTTPS for the external communication.

Note

All traffic in the Altair SLC Hub cluster between the Hub server host and any worker node hosts is secured by default. This section relates to securing the external traffic between a client browsers and the Hub, or when making REST API calls to the Hub.

Note

The Hub can only be configured to use HTTP or HTTPS, it is not possible to configure Hub to serve both HTTP and HTTPS. Once configured for HTTPS, requests made to HTTP will automatically redirect to HTTPS.

Generate a certificate

To enable HTTPS, a certificate and private key are required. Some providers will give you a certificate and key suitable for serving HTTPS for a Fully Qualified Domain Name you own. You can see the address the hub is serving by running the following command:

hubctl config print ingress.hostname

It may be preferable to generate a certificate signing request and private key locally, and then send the certificate signing request to the Certificating Authority.

Note

The hostname referenced in the certificate must be the same as the hostname in the ingress.url configuration setting. Use hubctl config print ingress.url to view the configuration setting.

Note

The private key must not have a password. There is no option in the Altair SLC Hub configuration to specify a password to use when reading the private key file.

Generating a Certificate Signing Request

In order to help get a certificate for the hub you can generate a certificate signing request using the command

   hubctl generate externalcsr

This command will generate certificate signing request and private key files ([var directory]/ca/public/external/external.csr.pem and [var directory]/ca/public/external/external.key.pem respectively).

Generating a self-signed certificate

A self-signed certificate may be setup to test secure access for HTTP, Altair Analytics Workbench or the Altair SLC Hub Excel Add-in to a Hub instance. While use for testing is appropriate, a self-signed certificate is not recommended for production use of Hub.

You can generate a self-signed certificate in your preferred way, however the certificate must contain the Subject Alternative Name (SAN) extension for compatibility with browsers and the workbench.

You can generate a self-signed certificate using the following command:

   hubctl generate externalssc

This command will generate certificate and private key files ([var directory]/ca/public/external/external.cert.pem and [var directory]/ca/public/external/external.key.pem respectively).