# Custom FQDN and Certificates ## Custom FQDN If you would like to have the management plane served on a different FQDN, set the `duFqdn` field in the airctl config file. For example, if you would like your management plane FQDN to be `mg-plane.example.com`, you would set: {% tabs %} {% tab title="YAML" %} ```yaml duFqdn: mg-plane.example.com ``` {% endtab %} {% endtabs %} ## Custom Certificates User can supply custom signed certs or a CA for the management plane. By default, airctl will generate a private key and self-signed root CA. It will generate certificates for the management plane signed by this CA. ### User supplied CA A user can supply their own CA, which airctl will use to sign the management plane certs. Since the key is also required, it is recommended to use an intermediate CA. Airctl will add all the appropriate SANs to the certificates required by the management plane. To supply a custom CA and private key, specify the following in airctl config: {% tabs %} {% tab title="YAML" %} ```yaml caCertPath: caKeyPath: ``` {% endtab %} {% endtabs %} ### User supplied Certs It is also possible to directly specify the certificates used by the management plane. In this case, airctl will bypass CA generation and cert generation, and pass the cert/key directly as the TLS Secret into Kubernetes. To do so, make sure the above `caCertPath` and `caKeyPath` are empty, and specify the following config options instead: {% tabs %} {% tab title="YAML" %} ```yaml certPath: certKeyPath: ``` {% endtab %} {% endtabs %} It is required to generate the certificates with the appropriate wildcard SANs and Key Usage: * \*.pf9.localnet * \*.custom.domain.net The first, \*`.pf9.localnet` is required for internal usage. The second depends on the shortname/FQDN used. For example if the management plane FQDN is "air99.platform9.net", then ensure the certificate has SANs for \*.platform9.net. In addition, ensure the following Key Usage extensions are enabled: {% tabs %} {% tab title="None" %} ```none X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication ``` {% endtab %} {% endtabs %} ## Renewing Certs The self-signed CA as well as certificates will expire in 3 years. These are renewed every time the management plane is upgraded. To renew the certs outside of a management plane upgrade, please follow steps above to either specify a CA or certificates in the airctl config (or leave empty, to have airctl generate and self-sign everything), and run: {% tabs %} {% tab title="Bash" %} ```bash airctl advanced-ddu renew-certs --config /opt/pf9/airctl/conf/airctl.yaml ``` {% endtab %} {% endtabs %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.platform9.com/self-managed-cloud-platform/5.7/sso-configuration/custom-fqdn-and-certificates.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.