Introduction to certificates

ECS ships with default unsigned SSL certificates installed in the keystore for each node. This certificate is not trusted by applications that talk to ECS, or by the browser when users access ECS through the ECS Portal.

To prevent users from seeing an untrusted certificate error, or to allow applications to communicate with ECS, you should install a certificate that is signed by a trusted Certificate Authority (CA). You can generate a self-signed certificate to use until you have a CA signed certificate. The self-signed certificate must be installed into the certificate store of any machines that will access ECS via HTTPS.

ECS uses the following types of SSL certificates:

Management certificates Used for management requests using the ECS Management REST API. These HTTPS requests use port 4443.
Object certificates Used for requests using the supported object protocols. These HTTPS requests use ports 9021 (S3), 9023 (Atmos), 9025 (Swift).

You can upload a self-signed certificate, a certificate that is signed by a CA authority, or, for an object certificate, you can request ECS to generate a certificate or you. The key/certificate pairs can be uploaded to ECS by using the ECS Management REST API on port 4443.

The following topics explain how to create, upload, and verify certificates: