As part of the post-installation process, you might want to set up your Secure Sockets Layer (SSL) certificates. Setting up SSL certificates is optional when installing SaltStack Config, but recommended.

Prerequisites

Setting up the SSL certificates is one post-installation step in a series of several steps that should be followed in a specific order. First, complete one of the installation scenarios and then read the following post-installation pages:

Set up and configure SSL certificates

To create the SSL certificates:

  1. The python36-pyOpenSSL package is necessary to configure SSL after installation. This step is usually completed before installation. If you were unable to install it before installation, it can be installed now. For instructions about checking for and installing this dependency, see Install or upgrade Salt.
  2. Create and set permissions for the certificate folder for the RaaS service.
    sudo mkdir -p /etc/raas/pki
    sudo chown raas:raas /etc/raas/pki
    sudo chmod 750 /etc/raas/pki
  3. Generate keys for the RaaS service using Salt, or provide your own.
    sudo salt-call --local tls.create_self_signed_cert tls_dir=raas
    sudo chown raas:raas /etc/pki/raas/certs/localhost.crt
    sudo chown raas:raas /etc/pki/raas/certs/localhost.key
    sudo chmod 400 /etc/pki/raas/certs/localhost.crt
    sudo chmod 400 /etc/pki/raas/certs/localhost.key
  4. To enable SSL connections to SaltStack Config user interface, generate a PEM-encoded SSL certificate or ensure that you have access to an existing PEM-encoded certificate.
  5. Save the .crt and .key files you generated in the previous step to /etc/pki/raas/certs on the RaaS node.
  6. Update the RaaS service configuration by opening /etc/raas/raas in a text editor. Configure the following values, replacing <filename> with your SSL certificate filename:
    tls_crt:/etc/pki/raas/certs/<filename>.crt
    tls_key:/etc/pki/raas/certs/<filename>.key
    port:443
  7. Restart the RaaS service.
    sudo systemctl restart raas
  8. Verify the RaaS service is running.
    sudo systemctl status raas
  9. Confirm that you can connect to the user interface in a web browser by navigating to your organization’s custom SaltStack Config URL and entering your credentials. For more information about logging in, see Log in for the first time and change default credentials.

Your SSL certificates for SaltStack Config are now set up.

Updating SSL certificates

Instructions for updating SSL certificates for SaltStack Config are available at the VMware knowledge base. For more information, see How to update SSL certificates for SaltStack Enterprise.

What to do next

After setting up SSL certificates, you may need to complete additional post-installation steps.

If you are a SaltStack SecOps customer, the next step is to set up these services. For more information, see SaltStack SecOps configuration.