Updating S3 certificate
S3 TLS certificates are required to encrypt the S3 traffic and prevent Man in the Middle
(MITM) attacks. You can upload a certificate file to add a new S3 SSL certificate or modify the existing certificate by using the UI, CLI or
API.
Before you can update or replace the certificate file, you must create a server-side certificate with Subject Alternative Name (SAN) and the S3 DNS endpoint. Upload the server-side certificate along with the Key by using the UI, CLI, or API.
For secure traffic, S3 Clients must use the associated CA certificate.
Updating S3 certificate by using the UI
To upload a S3 certificate, complete the following steps.
-
In the IBM Cloud console
, access your deployment and then go to Settings.
-
Click Upload certificate.
Make sure that the file includes the root certificate, server certificate, and server key. The maximum file size that is allowed is 20 kb and the supported file type is
.pem
only. -
Click Upload to choose the certificate from your computer.
-
Click Save to upload the file.
Updating S3 certificate from the CLI
Use the cert-update
command to update or replace existing SSL Certificates. You must include the parameters --cert CERT
to specify the certifcate type to be used, and --body BODY
to specify the file name
with extension .pem
that contains the TLS certificate.
Run the following command to upload the certificate.
ibmcloud software-defined-storage cert-update --cert CERT --body BODY --url string
See the following example.
ibmcloud sds cert-update --cert s3 --url $sds_endpoint --body file-name.pem
...
Name s3
ValidCertificate true
ValidKey true
Trace 75cacd10-7918-44c0-9914-1723ebf74ee1
The $sds_endpoint
is an environment variable that points to the endpoint provided to you when IBM CephaaS was configured. It is in the URL form. For example, https://sds-cephaas.<cephaas-instance-id>.software-defined-storage.appdomain.cloud:{port number}/v1
.
You can set the URL once and then not have to add it for every command. For guidance on how to set the URL, see Config commands.
You can also use the alias sds
as an alternative to software-defined-storage
and crtu
as an alternative to cert-update
for the CLI actions.
Updating S3 certificate with the API
Make a PUT /certificates/{cert_type}
request to replace the S3 SSL Certificates or upload a new PEM formatted file if it does not exist.
Ensure that the replacement file that you are uploading has the server-side certificate and key.
curl -X PUT $sds_endpoint/certificates/s3 \
-H "accept: application/json" \
-H "Authorization: Bearer $IAM_TOKEN"
-H "Content-Type: text/plain" \
-H "IBM-API-Version: 2025-02-01" \
--data-binary "@<filename>.pem"
Example of a response when a certificate already exits in the system:
curl -X PUT $sds_endpoint/certificates/s3 --data-binary "@both.pem" -H 'accept: application/json' -H "Authorization: Bearer $IAM_TOKEN" -H 'IBM-API-Version: 2025-02-01'
...
{
"name": "s3",
"valid_certificate": true,
"valid_key": true,
"trace": "0d40c604-13f7-4181-be4b-b7621ed4d453",
"errors": null
}
The $sds_endpoint
is an environment variable that points to the endpoint provided to you when IBM CephaaS was configured. It is in the URL form. For example, https://sds-cephaas.<cephaas-instance-id>.software-defined-storage.appdomain.cloud:{port number}/v1
.
You can set the URL once and then not have to add it for every command. For guidance on how to set the URL, see Config commands.
See Setting up your CLI and API environment for instructions on how to set the $IAM_TOKEN
variables.
Next steps
You can start creating and managing buckets and objects using the AWS CLI. For guidance, see Using AWS CLI.