About obtaining the root certificate of your DC/OS CA
To ensure that you communicate with your DC/OS cluster and not another party, obtain the root certificate of your DC/OS CA using one of the following methods.
Out of band (recommended): the most secure way to retrieve the root certificate is out of band. This method provides more assurance that you have the root certificate of your own DC/OS CA and not another CA.
Via curl (less secure): using curl to retrieve the certificate requires the use of the
-kflag, which opens you up to a man-in-the-middle attack. In such an attack, someone could substitute the root certificate of a CA other than yours, causing you to trust and communicate with someone other than your own DC/OS cluster.
The root certificate of your DC/OS CA can be found on any master node at the following path
/run/dcos/pki/CA/certs/ca.crt. For maximum security, you should physically retrieve this file. Alternatively, you could SSH into one of the masters to obtain it.
Tip: Do not modify the
ca.crt file stored on the master node in any way. However, after making a copy of this file and storing it elsewhere, we recommend renaming the copy from
dcos-ca.crt. This will make it easier to copy and paste the curl commands provided elsewhere in the documentation.
Using curl to retrieve the root certificate of your DC/OS CA requires the use of the
-k flag, which opens up the possibility of a man-in-the-middle attack. If this risk does not concern you, use the following command to retrieve the certificate file and save it in the current directory.
Prerequisite: You must have the DC/OS CLI installed.
curl -k -v $(dcos config show core.dcos_url)/ca/dcos-ca.crt -o dcos-ca.crt