}}

Obtaining a certificate signed by your DC/OS CA

Enterprise DC/OS Preview Updated: February 15, 2017

About obtaining a certificate signed by your DC/OS CA

To ensure that you communicate with your DC/OS cluster and not another party, obtain a certificate signed by your DC/OS CA using one of the following methods.

  • Out-of-band (recommended): the most secure way to retrieve the certificate is out-of-band. This method provides more assurance that the certificate file you retrieve is signed by your own DC/OS CA and not another CA.

  • Via curl (less secure): using curl to retrieve the certificate requires the use of the -k flag, which opens you up to a man-in-the-middle attack. In such an attack, someone could substitute a certificate signed by a CA other than yours, causing you to trust and communicate with someone other than your own DC/OS cluster.

Retrieving a certificate signed by your DC/OS CA out of band

A certificate signed by your DC/OS CA can be found on any master node at the following path /run/dcos/pki/CA/certs/ca.crt. For maximum security, you should physically retrieve this file. Alternatively, you could SSH into one of the masters to obtain it.

Tip: Do not modify the ca.crt file stored on the master node in any way. However, after making a copy of this file and storing it elsewhere, we recommend renaming the copy from ca.crt to dcos-ca.crt. This will make it easier to copy and paste the curl commands provided elsewhere in the documentation.

Using curl to retrieve a certificate signed by your DC/OS CA

Using curl to retrieve a certificate signed by your DC/OS CA requires the use of the -k flag, which opens up the possibility of a man-in-the-middle attack. If this risk does not concern you, use the following command to retrieve the certificate file and save it in the current directory.

Prerequisite: You must have the DC/OS CLI installed.

$ curl -k -v $(dcos config show core.dcos_url)/ca/dcos-ca.crt -o dcos-ca.crt