Categories

Versions

  1. Documentation
  3. Hub
  4. Install
  5. Certificate Management

Certificate Management

Starting with Altair AI Hub version 2025.0, AI Hub no longer supports plain HTTP. Hence, you must obtain a secure certificate from a trusted Certificate Authority, either a public issuer or a corporate CA that is trusted by all devices that have access to the deployment.

Alternatively, you can use Let’s Encrypt, a free, automated, and open certificate authority (CA), run for the public’s benefit. It is a service provided by the Internet Security Research Group (ISRG).

The letsencrypt Docker image provided with AI Hub contains the Certbot application which is the official client application for https://letsencrypt.org/.

The deployment templates support configuration for two types of certificates:

  • TLS offloading: those certificates are used in the proxy container (still requires the fullchain), the certificate can be issued by any public certificate authority including Let's Encrypt or custom authority issued one.
  • Custom Certificate Authority certificates: those certificates are added to the trust-store of every container, so certificates issued by those CAs will be trusted by the containers

Certificates used for TLS offloading

Those certificates are used in the proxy container and the certificate shall be a fullchain.

The configuration of these certificates can be set up using the following variables in the .env file for docker

HTTPS_CRT_PATH=/etc/nginx/ssl/certificate.crt
HTTPS_KEY_PATH=/etc/nginx/ssl/private.key

or the following properties in the helm chart (some properties are already set up for https):

common:
  domain: "<FQDN>"
  deploymentPort: "443"
  deploymentProtocol: "https"
  publicUrl: "https://<FQDN>"
  ssoDomain: "<FQDN>"
  ssoPublicUrl: "https://<FQDN>"
  publicCert:
    tlsSecretName: "ai-hub-proxy-certificate-secret-name"

For kubernetes, as you can see above, a secret shall be created in the namespace where you will deploy Altair AI Hub before actually deploying it.

Please note, that within the secret the certificate will appear as tls.crt and the private key as tls.key. We suggest to keep that name, the 'cert.cert' and private.key shall be the filename storing your certificate and private key. Please note, that the secret name shall match with the helm values

This can be done using the following command:

kubectl create secret generic ai-hub-proxy-certificate-secret-name \
  --from-file=tls.crt=cert.cert \
  --from-file=tls.key=private.key

After creating the kubernetes secret, the cert.cert and private.key files can be removed from the filesystem.

Password protected certificates used for TLS offloading

The configuration of password protected certificates can be set up using the following variables in the .env file for docker

HTTPS_KEY_PASSWORD_FILE_PATH=/etc/nginx/ssl/password.txt

or the following properties in the helm chart (some properties are already set up for https):

common:
  domain: "<FQDN>"
  deploymentPort: "443"
  deploymentProtocol: "https"
  publicUrl: "https://<FQDN>"
  ssoDomain: "<FQDN>"
  ssoPublicUrl: "https://<FQDN>"
  publicCert:
    tlsSecretName: "ai-hub-proxy-certificate-secret-name"
    passwordFile:
      enabled: True
      passwordSecretName: "ai-hub-proxy-certificate-password-secret-name"
proxy:
  https:
    keyPasswordPath: "certificate-password-file.txt"

For kubernetes as you can see above a secret shall be created in the namespace where you will deploy Altair AI Hub before actually deploying it.

Please note, that within the secret the certificate will appear as tls.crt and the private key as tls.key. We suggest to keep that name, the 'cert.cert' and private.key shall be the filename storing your certificate and private key. Please note, that the secret name shall match with the helm values

This can be done using the following command:

kubectl create secret generic ai-hub-proxy-certificate-secret-name \
  --from-file=tls.crt=cert.cert \
  --from-file=tls.key=private.key

After creating the kubernetes secret, the cert.cert and private.key files can be removed from the filesystem.

Besides that a secret containing the password for the certificate shall be created in the namespace where you will deploy Altair AI Hub before actually deploying it.

Create a file for example with the name ai-hub-proxy-certificate-password.txt and save the password of the certificate into this file.

The following command reads the contents of ai-hub-proxy-certificate-password.txt and creates the kubernetes secret.

kubectl create secret generic ai-hub-proxy-certificate-password-secret-name --from-file ai-hub-proxy-certificate-password.txt

After creating the kubernetes secret, the ai-hub-proxy-certificate-password.txt file can be removed from the filesystem.

Obtaining Let's Encrypt certificate for TLS offloading

The Let's Encrypt certificate is issued by Let's Encrypt on-demand after AI Hub is deployed.

Please note, that the FQDN of the deployment shall be able to get resolved on any public name server and shall point to this deployment

Custom Certificate Authority certificates

Those certificates are added to the trust-store of every container, so certificates issued by those CAs will be trusted by the containers.

To use custom certificate a TLS secret must be created in the same namespace where the AI Hub will be deployed. Use the standard kubernetes command to create the TLS secret

kubectl create secret generic my-internal-cert --from-file=tls.crt=certificate.crt

Use the TLS secret name in custom-values.yaml:

common:
  .........
  customCA:
    enabled: True
    tlsSecretName: my-internal-cert

Read more: Customer Internal CA

Privacy Policy © 2024 Altair Engineering Inc. All Rights Reserved. We are currently listed on Nasdaq as ALTR.