Wyssmann Engineering
Wyssmann Engineering
  • English

Manually create certificates and certificate signing request

Posted on August 15, 2021 by Adrian Wyssmann ‐ 2 min read

pki certificates csr

Life would be so much easier with an automated certificate management 😭

How to create a SSL certificate

  1. Set environment variables

    CN=mycn
CFGFILE=$CN.intra.conf

  2. Create a config file

    cat > $CFGFILE << EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CH
O = Wyssmann Engineering
CN = $CN.intra
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = $CN
DNS.2 = $CN.intra
EOF

  3. Generate private key

    openssl genrsa -out $CN.intra.key 2048

    Ensure you store your private key somewhere safe.

  4. Generate certificate signing request

    openssl req -new -key $CN.intra.key -out $CN.intra.csr -config $CFGFILE

  5. Check the csr for correctness, especially the CN

    openssl req -in $CN.intra.csr -noout -text

  6. Submit request to your to your CA in order to get your signed certificate

  7. Once the certificate is received, create a public/private keypair

    ALIAS=$CN.intra
CERT=$ALIAS.pem
CSR=$ALIAS.csr
KEY=$ALIAS.key
openssl pkcs12 -export -inkey $KEY -in $CERT  -out $ALIAS.p12

  8. If you need these certificates with Java, you might need to create a Java Keystore

    keytool -importkeystore -srckeystore $ALIAS.p12  -srcstoretype PKCS12 -destkeystore $ALIAS.jks -deststoretype jks

Certificates in Container Platform

See also Secrets

cert=k8s_nop_wildcard
kubectl create secret tls xxxxx \
--cert=$cert.pem \
--key=$cert.key \
--dry-run=client -o yaml \
> $cert.yaml

Troubleshooting

Check if keys match

https://www.sslshopper.com/certificate-key-matcher.html

You can use this the following commands to check whether a private key matches a certificate or whether a certificate matches a certificate signing request (CSR)

ALIAS=dev-docu.intra
CERT=$ALIAS.pem
CSR=$ALIAS.csr
KEY=$ALIAS.key
openssl pkey -in $KEY -pubout -outform pem | sha256sum
openssl x509 -in $CERT  -pubkey -noout -outform pem | sha256sum
openssl req -in $CSR  -pubkey -noout -outform pem | sha256sum

Get Key failed: Given final block not properly padded

We have seen that using graphical keytool may not work, thus use command line

pki certificates csr