Cluster SSL Certificate

  • 26 May 2015
  • 3 replies
  • 9826 views

Badge +5
Team,

I would like to install SSL Certificate for my cluster. I have 3 nodes in it and I am wondering how many certificates should I request.

1 single certificate for the entire cluster (The CSR will be generated using the Leader, but what is going to happen if the leader changes) or should I request 3 certificates (one for each cvm) ?

Many thanks in advance,

Regards,

Thibaut

3 replies

Userlevel 2
Badge +14
Hi Thibaut,

The easiest solution would be either a single wildcard certificate, or a SAN certificate which contains your CVM and Cluster VIP hostnames as Subject Alternative Names - that way you apply one certificate consistently across all your nodes.
By default your CVM's ship with a self-signed wildcard certificate for *.nutanix.local. Nutanix recommends replacing this with a CA-signed certificate (a wildcard is the most straightforward). The public documentation for SSL cert replacement is located here (link below), and it includes a list of supported certificate configurations and a breif how-to:

https://portal.nutanix.com/#/page/docs/details?targetId=Web_Console_Guide-NOS_v4_1:wc_security_ssl_certificate_wc_t.html
Badge +5
I will try to install 1 certificate that has CN the cluster FQDN with associated SAN certificates which contains the CVM FQDN and I will keep you updated.

Thank you.

Thibaut
Userlevel 2
Badge +14
Just keep in mind that a SAN certificate is going to add some complexity as you expand your cluster. You'll need to keep adding another SAN to the cert every time you add an additional node, whereas a wildcard would be one-and-done from a future-proof perspective.

Reply