Generate certificates

You can generate a self-signed certificate, or you can purchase a certificate from a certificate authority (CA). The CA-signed certificate is recommended for production purposes because it can be validated by any client machine without any extra steps.

Certificates must be in PEM-encoded x509 format.

When you generate a certificate, you typically specify the hostname where the certificate is used as the common name (CN). However, since ECS has multiple nodes, each with its own hostname, we must create a single certificate that supports all the different host names for an ECS cluster. SSL certificates support this using the Subject Alternative Names (SAN) configuration. This configuration section allows you to specify all the host names and IP addresses that the certificate should supports.

For maximum compatibility with object protocols, the Common Name (CN) on your certificate must point to the wildcard DNS entry used by S3, because S3 is the only protocol that uses virtually hosted buckets (and injects the bucket name into the hostname). You can specify only one wildcard entry on an SSL certificate, and it must be under the CN. The other DNS entries for your load balancer for the Atmos and Swift protocols must be registered as a Subject Alternative Names (SANs) on the certificate.

The topics in this section show how to generate a certificate or certificate request using openssl, however, your IT organization may have different requirements or procedures for generating certificates.