Manually create certificates and certificate signing request
Posted on August 15, 2021 by Adrian Wyssmann ‐ 2 min read
As we don't have an automated certificate management 😭 we have to create certificates and Certificate signing request manually. If you are in the same boat, this information might help you.
Life would be so much easier with an automated certificate management 😭
How to create a SSL certificate
Set environment variables
CN=mycn CFGFILE=$CN.intra.conf
Create a config file
cat > $CFGFILE << EOF [req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = CH O = Wyssmann Engineering CN = $CN.intra [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = $CN DNS.2 = $CN.intra EOF
Generate private key
openssl genrsa -out $CN.intra.key 2048
Ensure you store your private key somewhere safe.
Generate certificate signing request
openssl req -new -key $CN.intra.key -out $CN.intra.csr -config $CFGFILE
Check the
csr
for correctness, especially theCN
openssl req -in $CN.intra.csr -noout -text
Submit request to your to your CA in order to get your signed certificate
Once the certificate is received, create a public/private keypair
ALIAS=$CN.intra CERT=$ALIAS.pem CSR=$ALIAS.csr KEY=$ALIAS.key openssl pkcs12 -export -inkey $KEY -in $CERT -out $ALIAS.p12
If you need these certificates with Java, you might need to create a Java Keystore
keytool -importkeystore -srckeystore $ALIAS.p12 -srcstoretype PKCS12 -destkeystore $ALIAS.jks -deststoretype jks
Certificates in Container Platform
See also Secrets
cert=k8s_nop_wildcard
kubectl create secret tls xxxxx \
--cert=$cert.pem \
--key=$cert.key \
--dry-run=client -o yaml \
> $cert.yaml
Troubleshooting
Check if keys match
https://www.sslshopper.com/certificate-key-matcher.html
You can use this the following commands to check whether a private key matches a certificate or whether a certificate matches a certificate signing request (CSR)
ALIAS=dev-docu.intra
CERT=$ALIAS.pem
CSR=$ALIAS.csr
KEY=$ALIAS.key
openssl pkey -in $KEY -pubout -outform pem | sha256sum
openssl x509 -in $CERT -pubkey -noout -outform pem | sha256sum
openssl req -in $CSR -pubkey -noout -outform pem | sha256sum
Get Key failed: Given final block not properly padded
We have seen that using graphical keytool
may not work, thus use command line