Obtaining the DC/OS CA bundle


Obtaining the DC/OS CA bundle

To ensure that you are communicating with your DC/OS cluster and not another potentially malicious party, you must obtain the appropriate trust anchor. This trust anchor is part of the DC/OS CA bundle which is a collection of root CA certificates. In the simplest case, it just contains one item: the root CA certificate corresponding to the DC/OS certificate authority. You can obtain the DC/OS CA bundle, using one of these methods:

Adding an OpenID Connect identity provider

Retrieving the DC/OS CA bundle out of band

The DC/OS CA bundle is located on any master node at the file system path /run/dcos/pki/CA/ca-bundle.crt. For maximum security, you should manually retrieve this file. Alternatively, a reasonably secure method is to SSH into one of the master nodes to obtain the file, if the master nodes cannot be accessed physically. For simplification and to more easily use the curl commands provided elsewhere in the documentation, you can rename the file from ca-bundle.crt to e.g., dcos-ca.crt.

Using curl to retrieve the DC/OS CA bundle

IMPORTANT: If you are using `curl` to retrieve the DC/OS CA bundle, you must use the `-k`/`--insecure` flag. If the communication is performed through HTTPS, this flag disables server certificate verification. This allows for a man-in-the-middle attack, where a malicious party in the network path could send a bad CA bundle, causing you to trust entities from outside your DC/OS cluster.

Prerequisite: You must have the DC/OS CLI installed in order to retrieve the cluster URL in the command below.

Use the following command to retrieve the DC/OS CA bundle and save it in the current directory:

curl -k -v $(dcos config show core.dcos_url)/ca/dcos-ca.crt -o dcos-ca.crt