Story #18338
open"arvados-server init" can use a local root CA to sign certificates
0%
Description
When running "arvados-server init" the operator should have the option1 to generate a root CA, use it to sign TLS certificates for all Arvados web services that use TLS, and make the root CA certificate available so users can configure their browsers / command line tools to trust it.
arvados-server init
may provide the option, but arvados-server boot
should implement the certificate handling. It will be common for users to migrate to/from Let's Encrypt or some other trusted CA, and this will be done by updating config.yml, not by running init
again.
Currently "arvados-server boot" uses a local root CA to sign certificates, but the root CA does not persist after a restart, and there is no documented/easy way for users to get the root certificate.
1 This should be the default behavior if no other certificate strategy is selected/available.
Updated by Tom Clegg about 3 years ago
- Related to Story #18337: Easy install via OS package added