Container Service: Deploying an Application - Secured Routes and Certificates

OpenShift documentation on routes is here.

All routes should be encrypted via SSL certificates. Routes within the domain can utilize a wildcard certificate provided for the Container Service. Simply specify 'edge termination' and do not include any certificates.

Other Domains

Certificates can be requested using the University's Web Application Sign-Up (WASUP) certificate service. Decide on your application's URL prior to visiting the WASUP site. WASUP will require a valid certificate signing request (CSR) to create your certificate. Instructions on generating a CSR can be found here. Windows users may need to install OpenSSL libraries. Downloadable OpenSSL packages for Windows can be found here.

Note: Certain fields are required for University-requested certificates. Please make sure to specify the following information in these six fields:

  • Country Name: US
  • State: Michigan
  • Locality Name: Ann Arbor
  • Organization Name: University of Michigan
  • Organizational Unit Name: {The unit you work for which you are requesting this certificate.}
  • Common Name: The URL of your service, minus any prefixes for https, etc. E.g.

Note: OpenShift does not support the use of password-protected key files. Do not enter a password when generating your CSR & key.

Once your certificate has been requested, the Webmaster team will generate and send the certificate to you within two business days.

Which Route Type Should I Use?

Documentation on the the types of encrypted routes is available here. 'Edge' termination is the easiest to setup, and will suffice for most applications. 'Passthrough' or 'Re-encrypt' should be used in cases where the application needs to manage certificates. Edge termination should be used whenever possible.

Updating 'Edge' and 'Re-encrypt' routes

The certificate provided by Webmaster should be uploaded to the 'Certificate' portion of your route. The key generated as part of your CSR should be uploaded as your 'Private Key'. Your certificate will also come with certificates from InCommon RSA Server CA. This will be used for the 'CA Certificate' portion of your route.

Contact 4-help if you have any questions about this process.

Last Updated: 
Friday, July 10, 2020