About obtaining a certificate signed by your DC/OS CA
To ensure that you communicate with your DC/OS cluster and not another party, obtain a certificate signed by your DC/OS CA using one of the following methods.
- Out-of-band (recommended): the most secure way to retrieve the certificate is out-of-band. This method provides more assurance that the certificate file you retrieve is signed by your own DC/OS CA and not another CA.
Via curl (less secure): using curl to retrieve the certificate requires the use of the
-k flag, which opens you up to a man-in-the-middle attack. In such an attack, someone could substitute a certificate signed by a CA other than yours, causing you to trust and communicate with someone other than your own DC/OS cluster.
Retrieving a certificate signed by your DC/OS CA out of band
A certificate signed by your DC/OS CA can be found on any master node at the following path
/run/dcos/pki/CA/certs/ca.crt. For maximum security, you should physically retrieve this file. Alternatively, you could SSH into one of the masters to obtain it.
Tip: Do not modify the
ca.crt file stored on the master node in any way. However, after making a copy of this file and storing it elsewhere, we recommend renaming the copy from
dcos-ca.crt. This will make it easier to copy and paste the curl commands provided elsewhere in the documentation.
Using curl to retrieve a certificate signed by your DC/OS CA
Using curl to retrieve a certificate signed by your DC/OS CA requires the use of the
-k flag, which opens up the possibility of a man-in-the-middle attack. If this risk does not concern you, use the following command to retrieve the certificate file and save it in the current directory.
Prerequisite: You must have the DC/OS CLI installed.
$ curl -k -v $(dcos config show core.dcos_url)/ca/dcos-ca.crt -o dcos-ca.crt