(Optional) Certificate Import
- You are advised to run the certificate import script as a common user. Do not use the sudo + command method to run the certificate import script as a common user of the sudo group.
- When the inference service is started in https mode, you need to import certificates. For details about how to generate certificates, see Self-signed Certificate Creation Methods. Enter the paths of root certificate, service certificate and server private key, and the secondary encryption password of certificate in the certificate import script.
- If the inference service is started in http mode, you do not need to import the certificate. However, you need to bear the security risks caused by skipping this step.
- When the inference result is uploaded to a third-party platform, you can configure the client certificate of the third-party platform.
- Log in to the server where the certificate needs to be imported as a common user.
- Set environment variables.Go to the directory of the decompressed installation package and add the lib folder to the environment variable LD_LIBRARY_PATH. (The certificate import tool needs to be configured with the path of the .so file related to the encryption component.)
cd mxAOIService export LD_LIBRARY_PATH=lib:$LD_LIBRARY_PATH
- Execute the cert-importer.py script to import the certificate.
The following is an example of the command for importing a certificate. For details about the parameters, see Table 1.
python3 ./tools/cert_importer.py --cert_ca=/xxx/ca.crt --cert_crt=/xxx/server.crt --cert_key=/xxx/server.key --ai_platform_http_client=/xxx/client_ca.crt --gateway_client_ca=/xxx/gateway_client_ca.crt --crl=/xxx/ca.crl --ai_platform_client_crl=/xxx/ai_platform_client.crl --gateway_client_crl=/xxx/gateway_client.crl --expiry_days=365
Table 1 Parameters in the certificate import script Parameter
Type
Mandatory or Optional
Description
--cert_ca
String
Mandatory
Path of the service root certificate.
--cert_crt
String
Mandatory
Path of the service certificate.
--cert_key
String
Mandatory
Path of the service private key.
--ai_platform_http_client
String
Optional
Client certificate for uploading inference results to a third-party system.
--gateway_client_ca
String
Optional
Client certificate for uploading inference time to a third-party system.
--crl
String
Optional
Path of the CRL file. After the file is loaded, the inference service rejects the connection from the revoked certificates.
--ai_platform_client_crl
String
Optional
CRL loaded when images and inference results are uploaded to a third-party interface.
--gateway_client_crl
String
Optional
CRL loaded when inference delay information is uploaded to a third-party interface.
--expiry_days
int
Optional
Set the certificate retention period, in days. The minimum value is 1 and the maximum value is 2000. The default retention period is one year (365 days). Use the UTC. After the retention period expires, the certificate directory will be deleted when the inference service restarted. Once set, the expiration time will be synchronously written to the ca_retention_time field in the config.yaml configuration file. For details, see config.yaml Parameters.
- Pass cert_ca, cert_crt, cert_key, ai_platform_http_client (optional), gateway_client_ca (optional), crl (optional), ai_platform_client_crl (optional), and gateway_client_crl (optional). For details, see Table 1.
- After the parameters are passed, the system prompts you to enter the private key decryption password. The system decrypts the private key of the imported certificate and verifies whether the certificate expires. The private key is re-encrypted and written into the ./config/config.yaml file.
- The re-encrypted private key is stored in the ~/aoi_service/key.bak file for backup. The hash value corresponding to the private key is stored in the ~/aoi_service/key.hash file and is used for integrity verification when the inference service in the https mode is started to ensure that the private key is not tampered with.
- The certificate import tool automatically creates the ./config/crt directory and copies the corresponding certificate files to the directory. The directory structure is as follows, and the file permission is 400.
├── crt └── ca.crt ├── server.crt └── server.key └── client_ca.crt └── gateway_client_ca.crt └── gateway_client.crl └── ai_platform_client.crl └── ca.crl
- Pass cert_ca, cert_crt, cert_key, ai_platform_http_client (optional), gateway_client_ca (optional), crl (optional), ai_platform_client_crl (optional), and gateway_client_crl (optional). For details, see Table 1.
- The path of the imported certificate is written into the configuration file of the inference service, that is, ./config/config.yaml
After the certificate is imported, you are advised to delete the local certificate to prevent certificate leakage.
# Config infer service ca file path and keyword when https. cert: ca: xxx crt: xxx key: xxx key_mm: xxxxxx crl: xxxxxx # Upload CA file path, only use in https mode. ai_platform_http_client: ca: xxx crl: xxx # Upload infer time to pushgateway CA file path, only use in https mode. http_pushgateway_client: ca: xxx crl: xxx