Creating TLS certificates

Edit online

Create transport layer security (TLS) certificates secrets for your IBM® Engineering AI Hub instance.

Before you begin

  • Ensure that you have valid certificates from the certificate authority of the IBM Engineering AI Hub.
  • Ensure that you have the certificate files and the private keys available before you update the IBM Engineering AI Hub routes with the certificates.

Procedure

  1. Log in to the Red Hat® OpenShift® Container Platform by using the Red Hat OpenShift administrator credentials.
  2. Select the project from the Project list, where the Engineering AI Hub operator is installed.
  3. Go to Workloads > Secrets.
  4. On the Secrets page, select Key/Value Secret from the Create list.
  5. On the Create Key/Value Secret page, create internal and external TLS secrets.
    For example,
    • Internal secret: aihub-tls-secret-internal
    • External secret: aihub-tls-secret
    1. Provide the following details for internal TLS secret.
      Keys Values
      tls.crt TLS certificate
      tls.key TLS key
      ca.crt TLS certificate
      Consider the following example of generating an internal TLS certificate signed by a Certificate Authority (CA) by using OpenSSL. 
      openssl genpkey -algorithm RSA -out ca.key -pkeyopt rsa_keygen_bits:2048openssl req -x509 -new -key ca.key -days 3650 -out ca.crt -subj "/CN=engineeringaihub.com" -addext "subjectAltName=DNS:localhost,DNS:*.${ns}.svc.cluster.local,DNS:${HOSTNAME},DNS:*.${HOSTNAME},IP:127.0.0.1"openssl genpkey -algorithm RSA -out tls.key -pkeyopt rsa_keygen_bits:2048openssl req -new -key tls.key -out server.csr -subj "/CN=engineeringaihub.com" -addext "subjectAltName=DNS:localhost,DNS:'*.<namespace>.svc.cluster.local',IP:127.0.0.1"

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out tls.crt -days 3650 -copy_extensions copy
      Consider the following example of generating a self-signed internal TLS certificate by using OpenSSL. 
      
openssl genpkey -algorithm RSA -out tls.key -pkeyopt rsa_keygen_bits:2048
openssl req -x509 -days 3650 -new -key tls.key -out tls.crt -subj "/CN=<hostname on which you want to reach AIhub>" -addext "subjectAltName=DNS:localhost,DNS:'*.<namespace>.svc.cluster.local',IP:127.0.0.1"
      <namespace>

      The Kubernetes namespace that corresponds to the Red Hat OpenShift project where the AIHub deployment resides.

      The namespace corresponds to the Red Hat OpenShift project where the IBM Engineering AI Hub deployment resides.

      <hostname>
      Use the same host name that you use when configuring routes or ingress resources for IBM Engineering AI Hub applications.
    2. Provide the following details for external TLS secret.
      Keys Values
      tls.crt TLS certificate
      tls.key TLS key
  6. Click Create.