docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
docs/ee/ucp/admin/configure/_site/use-your-own-tls-certificat...

58 lines
2.6 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<p>All UCP services are exposed using HTTPS, to ensure all communications between
clients and UCP are encrypted. By default, this is done using self-signed TLS
certificates that are not trusted by client tools like web browsers. So when
you try to access UCP, your browser warns that it doesnt trust UCP or that
UCP has an invalid certificate.</p>
<p><img src="../../images/use-externally-signed-certs-1.png" alt="invalid certificate" /></p>
<p>The same happens with other client tools.</p>
<pre><code class="language-none">$ curl https://ucp.example.org
SSL certificate problem: Invalid certificate chain
</code></pre>
<p>You can configure UCP to use your own TLS certificates, so that it is
automatically trusted by your browser and client tools.</p>
<p>To ensure minimal impact to your business, you should plan for this change to
happen outside business peak hours. Your applications will continue running
normally, but existing UCP client certificates will become invalid, so users
will have to download new ones to <a href="../../user-access/cli.md">access UCP from the CLI</a>.</p>
<h2 id="configure-ucp-to-use-your-own-tls-certificates-and-keys">Configure UCP to use your own TLS certificates and keys</h2>
<p>In the UCP web UI, log in with administrator credentials and
navigate to the <strong>Admin Settings</strong> page.</p>
<p>In the left pane, click <strong>Certificates</strong>.</p>
<p><img src="../../images/use-externally-signed-certs-2.png" alt="" /></p>
<p>Upload your certificates and keys:</p>
<ul>
<li>A <code class="highlighter-rouge">ca.pem</code> file with the root CA public certificate.</li>
<li>A <code class="highlighter-rouge">cert.pem</code> file with the TLS certificate for your domain and any intermediate public
certificates, in this order.</li>
<li>A <code class="highlighter-rouge">key.pem</code> file with TLS private key. Make sure it is not encrypted with a password.
Encrypted keys should have <code class="highlighter-rouge">ENCRYPTED</code> in the first line.</li>
</ul>
<p>Finally, click <strong>Save</strong> for the changes to take effect.</p>
<p>After replacing the TLS certificates, your users wont be able to authenticate
with their old client certificate bundles. Ask your users to go to the UCP
web UI and <a href="../../user-access/cli.md">get new client certificate bundles</a>.</p>
<p>If you deployed Docker Trusted Registry, youll also need to reconfigure it
to trust the new UCP TLS certificates.
<a href="/reference/dtr/2.5/cli/reconfigure.md">Learn how to configure DTR</a>.</p>
<h2 id="where-to-go-next">Where to go next</h2>
<ul>
<li><a href="../../user-access/cli.md">Access UCP from the CLI</a></li>
</ul>
Reference in New Issue View Git Blame Copy Permalink