Securing Communication with TLS

ENTERPRISE

Securing encrypted communications using TLS certificates

Your DC/OS certificate authority (CA) signs the TLS certificates and provisions them to systemd-started services during the bootstrap sequence. This encrypts communications with no manual intervention required. Each DC/OS cluster has its own DC/OS CA and a unique root certificate. Because your DC/OS CA does not appear in any lists of trusted certificate authorities, requests coming in from outside the cluster, such as from a browser or curl, will result in warning messages. To establish trusted communications with your DC/OS cluster and stop the warning messages:

1. Obtain the DC/OS CA bundle.

2. Perform one of the following:

   • Manually add your DC/OS CA as a trusted authority in browsercurl commands, and other clients.

   • Set up a proxy between Admin Router and user agent requests coming in from outside of the cluster.

Configuring HAProxy in Front of Admin Router

Using the HAProxy to set up an HTTP proxy for the DC/OS Admin Router

Configuring a Custom CA Certificate

ENTERPRISE

Configuring DC/OS Enterprise to use a custom CA certificate

Configuring a Custom External Certificate

ENTERPRISE

Configuring DC/OS Enterprise to use a custom external certificate

Obtaining the DC/OS CA bundle

ENTERPRISE

Obtaining the DC/OS CA bundle

Establishing trust in your DC/OS CA

ENTERPRISE

Configuring Chrome and Firefox to trust your DC/OS CA.

Establishing trust in your CLI

ENTERPRISE

Establishing trust in your CLI

Establishing trust in your curl commands

ENTERPRISE

Establishing trust in your curl commands

Securing Exhibitor with mutual TLS

ENTERPRISE

Securing DC/OS with a TLS enabled Exhibitor ensemble

Using the Certificate Authority API

ENTERPRISE

Viewing, creating, and signing certificates