分享交流
合作共赢!

Generating a self-signed certificate using OpenSSL


To generate a self-signed SSL certificate using the OpenSSL, complete the following steps:

  1. Write down the Common Name (CN) for your SSL Certificate. The CN is the fully qualified name for the system that uses the certificate. For static DNS, use the hostname or IP address set in your Gateway Cluster (for example. 192.16.183.131 or dp1.acme.com).
  2. Run the following OpenSSL command to generate your private key and public certificate. Answer the questions and enter the Common Name when prompted.
    openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
  3. Review the created certificate:
    openssl x509 -text -noout -in certificate.pem
  4. Combine your key and certificate in a PKCS#12 (P12) bundle:
    openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12
  5. Validate your P2 file.
    openssl pkcs12 -in certificate.p12 -noout -info
    Once the certificate file is created, it can be uploaded to a keystore.

    link: https://www.ibm.com/docs/en/api-connect/10.0.1.x?topic=overview-generating-self-signed-certificate-using-openssl

Create a Certificate Authority Private Key and Public Certificate

The example below shows how to create a self-signed certificate. In a production environment, you should always use certificates signed by a Certificate Authority.

Option 1: Executing script to generate certs(recommend in Linux operation system)

write the below content to a file, such as “gencert.sh“, please note that update the file correspondingly before executing it.

#!/bin/bash

mkdir -p ssl

cat << EOF > ssl/req.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name

[req_distinguished_name]

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = dex.example.com
EOF

openssl genrsa -out ssl/ca-key.pem 2048
openssl req -x509 -new -nodes -key ssl/ca-key.pem -days 10 -out ssl/ca.pem -subj "/CN=kube-ca"

openssl genrsa -out ssl/key.pem 2048
openssl req -new -key ssl/key.pem -out ssl/csr.pem -subj "/CN=kube-ca" -config ssl/req.cnf
openssl x509 -req -in ssl/csr.pem -CA ssl/ca.pem -CAkey ssl/ca-key.pem -CAcreateserial -out ssl/cert.pem -days 10 -extensions v3_req -extfile ssl/req.cnf

Option 2:Use the command to generate certs step by step.

  1. Generate CA files serverca.crt and servercakey.pem. This allows the signing of server and client keys:
    $ openssl genrsa -out servercakey.pem
    $ openssl req -new -x509 -key servercakey.pem -out serverca.crt
  2. Create the server private key (server.crt) and public key (server.key):
    $ openssl genrsa -out server.key $ openssl req -new -key server.key -out server_reqout.txt
    $ openssl x509 -req -in server_reqout.txt -days 3650 -sha256 -CAcreateserial -CA serverca.crt -CAkey servercakey.pem -out server.crt
  3. Create the client private key (client.crt) and public key (client.key):
    $ openssl genrsa -out client.key
    $ openssl req -new -key client.key -out client_reqout.txt
    $ openssl x509 -req -in client_reqout.txt -days 3650 -sha256 -CAcreateserial -CA serverca.crt -CAkey servercakey.pem -out client.crt
  4. Set file permissions:$ chmod 700 server.crt server.key
    $ chmod 700 client.crt client.key

    Executing script to generate certs(recommend)

    Other Reference:
    https://github.com/dexidp/dex/blob/master/examples/k8s/gencert.sh?fireglass_rsn=true

Reference:

  • https://github.com/dexidp/dex/blob/master/examples/grpc-client/cert-gen
  • https://github.com/dexidp/dex/blob/master/examples/k8s/gencert.sh?fireglass_rsn=true

Generate private certificate locally based config file

1.Generate key file by below command

openssl genrsa -out plug_client_cert.key 4096

2.Create config file show as below:

[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt = no
[ req_distinguished_name ]
countryName                 = SG
stateOrProvinceName         = Singapore
localityName               = INFRA/APP
organizationName           = ABC Bank Ltd
commonName                 = <Domain Name>
organizationalUnitName     = EDSF
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   =  <Domain Name>
DNS.2   =  <Domain Name>

3.Generate CSR file based key and config file

openssl req -out plug_client_cert_qa.csr -newkey rsa:4096 -nodes -keyout plug_client_cert.key -config plug_client_qa.cnf

4.Generate finally CSR file

openssl req -noout -text -in plug_client_cert_qa.csr

Generate Kubernetes secret with above files:

k create secret tls cirrus.dell.com.tls -n auth --dry-run=server --cert=server.crt --key=server.key -oyaml > cirrus.dell.com.tls.yaml
赞(0) 打赏
未经允许不得转载:琼杰笔记 » Generating a self-signed certificate using OpenSSL

评论 抢沙发

评论前必须登录!

 

分享交流,合作共赢!

联系我们加入QQ群

觉得文章有用就打赏一下文章作者

非常感谢你的打赏,我们将继续给力更多优质内容,让我们一起创建更加美好的网络世界!

支付宝扫一扫打赏

微信扫一扫打赏

登录

找回密码

注册