Securing communication with TLS


In permissive and strict security modes, your DC/OS certificate authority (CA) signs the TLS certificates and provisions them to systemd-started services during the bootstrap sequence. This accomplishes encrypted communications with no manual intervention. Each DC/OS cluster has its own DC/OS CA and a unique root certificate.

Because your DC/OS CA does not appear in any lists of trusted certificate authorities, requests coming in from outside the cluster, such as from a browser or curl, will result in warning messages. To establish trusted communications with your DC/OS cluster and stop the warning messages:

  1. Obtain the DC/OS CA bundle.

  2. Perform one of the following:

Configuring HAProxy in Front of Admin Router

You can use HAProxy to set up an HTTP proxy in front of the DC/OS Admin Router. For example, this can be useful if you want to present a custom server certificate to user agents connecting to the cluster via HTTPS. DC/OS does not support adding a custom external certificate directly into Admin Router, although it is possible to provide a custom CA certificate as the DC/OS CA.…Read More

Using a Custom CA Certificate


Configuring DC/OS Enterprise to use a custom CA certificate…Read More

Obtaining the DC/OS CA bundle


To ensure that you are communicating with your DC/OS cluster and not another potentially malicious party, you must obtain the appropriate trust anchor. This trust anchor is part of the DC/OS CA bundle which is a collection of root CA certificates. In the simplest case, it just contains one item: the root CA certificate corresponding to the DC/OS certificate authority. You can obtain the DC/OS CA bundle, using one of these methods:…Read More

Configuring browsers to trust your DC/OS CA


How to configure Chrome and Firefox to trust your DC/OS CA. …Read More

Configuring the DC/OS CLI to trust your DC/OS CA


By default, the DC/OS CLI does not verify the signer of TLS certificates. We recommend completing the following brief procedure to ensure that the DC/OS CLI trusts only your DC/OS CA and refuses connections with other parties. …Read More

Establishing trust in your curl commands


If you have not set up a proxy, you should use `--cacert dcos-ca.crt` in your curl commands in `permissive` and `strict` security modes. …Read More

Certificate Authority API


The Certificate Authority API allows you to view the TLS certificates used by DC/OS Enterprise, create Certificate Signing Requests (CSRs), and have the DC/OS CA sign CSRs. …Read More