|
| 1 | +<!--[metadata]> |
| 2 | ++++ |
| 3 | +title = "Use externally-signed certificates" |
| 4 | +description = "Learn how to configure Docker Universal Control Plane to use your own certificates." |
| 5 | +keywords = ["Universal Control Plane, UCP, certificate, authentiation, tls"] |
| 6 | +[menu.main] |
| 7 | +parent="mn_ucp_configuration" |
| 8 | +identifier="ucp_configure_certs" |
| 9 | +weight=0 |
| 10 | ++++ |
| 11 | +<![end-metadata]--> |
| 12 | + |
| 13 | +# Use externally-signed certificates |
| 14 | + |
| 15 | +Docker Universal Control Plane uses TLS to encrypt the traffic between users |
| 16 | +and your cluster. By default this is done using self-signed certificates. |
| 17 | +Since self-signed certificates are not trusted by web browsers, when users |
| 18 | +access the UCP web UI, their browsers display a security warning. To avoid this, |
| 19 | +you can configure UCP to use externally signed certificates. |
| 20 | + |
| 21 | +This can be done while |
| 22 | +[installing the UCP cluster](../installation/install-production.md) by |
| 23 | +providing the externally signed certificates during the installation. |
| 24 | +If you install UCP without providing externally signed certificates, then |
| 25 | +self-signed certificates are used by default. These certificates can be replaced |
| 26 | +at any time. |
| 27 | + |
| 28 | +Since client certificate bundles are signed and verified with the UCP server |
| 29 | +certificates, if you replace the UCP server certificates, users have to |
| 30 | +download new client certificate bundles to be able to run Docker commands on |
| 31 | +the cluster. |
| 32 | + |
| 33 | +## Replace existing certificates |
| 34 | + |
| 35 | +To replace the server certificates used by UCP, for each controller node: |
| 36 | + |
| 37 | +1. Login into the node with ssh. |
| 38 | +2. In the directory where you have the keys and certificates to use, run: |
| 39 | + |
| 40 | + ```bash |
| 41 | + # Create a container that attaches to the same volume where certificates are stored |
| 42 | + $ docker create --name replace-certs -v ucp-controller-server-certs:/data busybox |
| 43 | + |
| 44 | + # Copy your keys and certificates to the container's volumes |
| 45 | + $ docker cp cert.pem replace-certs:/data/cert.pem |
| 46 | + $ docker cp ca.pem replace-certs:/data/ca.pem |
| 47 | + $ docker cp key.pem replace-certs:/data/key.pem |
| 48 | + |
| 49 | + # Remove the container, since you won't need it any longer |
| 50 | + $ docker rm replace-certs |
| 51 | + ``` |
| 52 | + |
| 53 | +3. Restart the `ucp-controller` container. |
| 54 | + |
| 55 | + To avoid downtime, don't restart all the `ucp-controller` containers of |
| 56 | + your cluster at the same time. |
| 57 | +
|
| 58 | + ```bash |
| 59 | + $ docker restart ucp-controller |
| 60 | + ``` |
| 61 | +
|
| 62 | +4. Let your users know. |
| 63 | +
|
| 64 | + After replacing the certificates your users won't be able to authenticate |
| 65 | + with their old client certificate bundles. Ask your users to go to the UCP |
| 66 | + web UI and [get new client certificate bundles](../access-ucp/cli-based-access.md). |
0 commit comments