search string side menu

BRIX On-Premises > Prepare infrastructure > TLS/SSL certificates / Create a secret with a certificate for HTTPS operation

Create a secret with a certificate for HTTPS operation

You can create a secret with a certificate for HTTPS operation using one of the following options:

Installation via the internet

Method 1. Use a certificate issued by a trusted CA

To create a secret with a certificate for HTTPS operation, you can either purchase a certificate issued by one of the trusted certificate authorities or use an existing one.

начало внимание

The secret with the certificate must be created in the same namespace in which the target application is running or will be installed, for which the certificate is being issued.

For the BRIX application, the standard namespace is elma365.

For built-in databases the standard namespace is elma365-dbs.

конец внимание

In the namespace with the target application, create a tls-type secret with the name elma365-onpremise-tls by executing the command:

kubectl create secret tls elma365-onpremise-tls \
--cert=path/to/cert/file \
--key=path/to/key/file [-n namespace]

where:

  • --cert is the path to the file with an open certificate of the .pem or .crt format;
  • --key is the path to the file with a private key.

Method 2. Use Let’s Encrypt certificate

For more information on issuing a certificate, refer to Create Let’s Encrypt certificate.

Installation without internet access

Method 1: Use a self-signed certificate or a certificate issued by a local CA

You can use an existing certificate issued by a local certificate authority or create a self-signed certificate using OpenSSL. For more information, refer to Create SSL certificates for TLS/SSL with OpenSSL.

начало внимание

The secret with the certificate must be created in the same namespace in which the target application is running or will be installed, for which the certificate is being issued.

For the BRIX application, the standard namespace is elma365.

For built-in databases the standard namespace is elma365-dbs.

конец внимание

In the namespace with the target application, create a tls-type secret with the name elma365-onpremise-tls by executing the command:

kubectl create secret tls elma365-onpremise-tls \
--cert=path/to/cert/file \
--key=path/to/key/file [-n namespace]

where:

  • --cert is the path to the file with an open certificate of the .pem or .crt format;
  • --key is the path to the file with a private key.

Configuring trust support for a user CA certificate issued by a local CA

If BRIX and embedded databases require support for trusting a user CA certificate, install the Kyverno add-on module. Kyverno allows automatically adding a volume containing custom CA certificates to containers with a specific label.

 

If trust support is only required for the BRIX application, it can be enabled in the BRIX Helm chart. To learn more, see Enable network encryption (TLS) in BRIX Enterprise. To enablesupport in the helm-chart follow these steps:

    1. Create a ConfigMap from the CA certificate file.
    2. On step 2 of Enable network encryption (TLS) in BRIX Enterprise when filling in the configuration file values-elma365.yaml specify the name of the created ConfigMap in parameter configCA.

In the namespace where the BRIX application is installed, create a ConfigMap from the CA certificate file with the name elma365-onpremise-ca, by executing the command:

kubectl create configmap elma365-onpremise-ca \
--from-file=path/to/rootCA [-n namespace]

Method 2. Use a self-signed certificate with Cert-manager

For more information on issuing a certificate, refer to Create SSL certificates for TLS/SSL using Cert-manager.

downloading-images-deckhouse.html certificate-lets-encrypt.html