Story #18338

"arvados-server init" can use a local root CA to sign certificates

Added by Tom Clegg 7 months ago.

Assigned To:
Target version:
Start date:
Due date:
% Done:


Estimated time:
Story points:


When running "arvados-server init" the operator should have the option1 to generate a root CA, use it to sign TLS certificates for all Arvados web services that use TLS, and make the root CA certificate available so users can configure their browsers / command line tools to trust it.

arvados-server init may provide the option, but arvados-server boot should implement the certificate handling. It will be common for users to migrate to/from Let's Encrypt or some other trusted CA, and this will be done by updating config.yml, not by running init again.

Currently "arvados-server boot" uses a local root CA to sign certificates, but the root CA does not persist after a restart, and there is no documented/easy way for users to get the root certificate.

1 This should be the default behavior if no other certificate strategy is selected/available.

Related issues

Related to Arvados Epics - Story #18337: Easy install via OS packageNew09/01/202212/31/2022


#1 Updated by Tom Clegg 7 months ago

  • Related to Story #18337: Easy install via OS package added

Also available in: Atom PDF