It’s been a while since Ceph Rados Gateway (RGW) has had built-in support for SSL. In this blog post, we’ll quickly cover how to setup SSL for RGW and add another layer of security to the object-storage endpoint without much effort.
The first ingredient we need to configure SSL endpoint is the "SSL Certificate" itself, which must be obtained through an official certification authority, or CA. It’s the CA’s responsibility to confirm the certificate’s identity, as well as assert for its authenticity. For demonstration purposes, we’ll use a self-sign certificate. For production environment acquiring an SSL certificate through an authorized CA is recommended.
Note: If you already have an SSL certificate for your domain, you can skip the following steps and edit "/etc/ceph/ceph.conf" file to configure SSL. If you don't have one and want to use self-signed certs, keep on reading….
On Ceph RGW node generate a self-sign certificate
[root@rgw1 ~]# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/ceph-rgw-cert.key -out /etc/ssl/certs/ceph-rgw.crt