Container: Deploying an Application - Secured Routes and Certificates

OpenShift can publish your applications at a public URL via routes. Documentation on routes, including a brief overview of how to create them, can be found here.

The first step is to decide on your URL. URLs that end in openshift.dsc.umich.edu (for on-premise applications) and web.umich.edu (AWS-hosted applications) will automatically route to your application. Instructions for requesting custom URLs can be found here.

All routes should be encrypted via SSL certificates. Certificates can be requested using the University's Web Application Sign-Up (WASUP) certificate service. Decide on your application's URL prior to visiting the WASUP site. WASUP will require a valid certificate signing request (CSR) to create your certificate. Instructions on generating a CSR can be found here. Windows users may need to install OpenSSL libraries. Downloadable OpenSSL packages for Windows can be found here.

Note:Certain fields are required for University-requested certificates. Please make sure to specify the following information in these six fields:

  • Country Name: US
  • State: Michigan
  • Locality Name: Ann Arbor
  • Organization Name: University of Michigan
  • Organizational Unit Name: {The unit you work for which you are requesting this certificate.}
  • Common Name: The URL of your service, minus any prefixes for https, etc. E.g. myapp.openshift.dsc.umich.edu

Note:OpenShift does not support the use of password-protected key files. Do not enter a password when generating your CSR & key.

Once your certificate has been requested, the Webmaster team will generate and send the certificate to you within two business days.

Documentation on the the types of encrypted routes is available here. 'Edge' termination is the easiest to setup, and will suffice for most applications. 'Passthrough' or 'Re-encrypt' should be used in cases where the application needs to manage certificates, such as cases where you have an apache (httpd) front-end for your application.

The certificate provided by Webmaster should be uploaded to the 'Certificate' portion of your route. ;The key generated as part of your CSR should be uploaded as your 'Private Key'. Your certificate will also come with certificates from InCommon RSA Server CA and USERTrust RSA Certification Authority. Combine these certificates into a single file and upload this to the 'CA Certificate' portion of your route.

Contact 4-help if you have any questions about this process.

Last Updated: 
Thursday, September 13, 2018