Deploying self-signed cephadm certificates with SAN configuration

Configure HTTPS for the Ceph Object Gateway (RGW) by using cephadm-managed self-signed certificates with Subject Alternative Name (SAN) entries.

Before you begin

Before you begin, make sure that you have the following prerequisites in place:
  • A running and healthy IBM Storage Ceph cluster.
  • The Ceph Object Gateway is deployed by using cephadm.
  • Root-level access to the Ceph cluster.

About this task

This task extends the HTTPS configuration for the Ceph Object Gateway by enabling self-signed certificates with SAN entries. SAN configuration allows access by using multiple domain names or hostnames, which is required for virtual-host–style S3 access and multi-site deployments.

cephadm automatically generates and manages certificates when certificate_source: cephadm-signed is used (or generate_cert is set). You can specify SAN entries by using zonegroup_hostnames.

Procedure

  1. Create a service specification file for the RGW deployment. 
    [ceph: root@host01 ~]# touch rgw.yaml
  2. Define the RGW service specification with HTTPS and SAN configuration.

    Enable certificate generation and specify hostnames for SAN entries.

    service_type: rgw
service_id: my-rgw
placement:
  hosts:
    - host01
spec:
  ssl: true
  certificate_source: cephadm-signed
  wildcard_enabled: true
  zonegroup_hostnames:
    - s3.example.com
    - s3.zone1.example.com
    Note: generate_cert: true remains supported; certificate_source: cephadm-signed is the preferred method for new configurations.
  3. Deploy the RGW service by using the specification file.
    Note: Ensure that rgw_realm, rgw_zone, and rgw_zonegroup are created before deploying the RGW service. 
    ceph orch apply -i rgw.yaml
  4. Verify that the certificate includes the SAN entries.

    Retrieve the generated certificate:

    ceph orch certmgr cert get cephadm_root_ca_cert > cephadm-root-ca.crt

    Inspect the certificate:

    openssl x509 -in cephadm-root-ca.crt -noout -text

    The output includes SAN entries similar to:

    X509v3 Subject Alternative Name:
DNS:s3.example.com, DNS:s3.zone1.example.com

    The SAN values are derived from zonegroup_hostnames.

Results

The Ceph Object Gateway is configured with HTTPS using cephadm-managed certificates. The generated certificate includes SAN entries that allow access through multiple hostnames or domains.

What to do next

You can extend this configuration for multi-site deployments. For more information, see: