Manually create certificates and certificate signing request
Posted on August 15, 2021 by Adrian Wyssmann ‐ 2 min read
As we don't have an automated certificate management 😠we have to create certificates and Certificate signing request manually. If you are in the same boat, this information might help you.
Life would be so much easier with an automated certificate management ðŸ˜
How to create a SSL certificate
-
Set environment variables
CN=mycn CFGFILE=$CN.intra.conf
-
Create a config file
cat > $CFGFILE << EOF [req] distinguished_name = req_distinguished_name req_extensions = v3_req prompt = no [req_distinguished_name] C = CH O = Wyssmann Engineering CN = $CN.intra [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = $CN DNS.2 = $CN.intra EOF
-
Generate private key
openssl genrsa -out $CN.intra.key 2048
Ensure you store your private key somewhere safe.
-
Generate certificate signing request
openssl req -new -key $CN.intra.key -out $CN.intra.csr -config $CFGFILE
-
Check the
csr
for correctness, especially theCN
openssl req -in $CN.intra.csr -noout -text
-
Submit request to your to your CA in order to get your signed certificate
-
Once the certificate is received, create a public/private keypair
ALIAS=$CN.intra CERT=$ALIAS.pem CSR=$ALIAS.csr KEY=$ALIAS.key openssl pkcs12 -export -inkey $KEY -in $CERT -out $ALIAS.p12
-
If you need these certificates with Java, you might need to create a Java Keystore
keytool -importkeystore -srckeystore $ALIAS.p12 -srcstoretype PKCS12 -destkeystore $ALIAS.jks -deststoretype jks
Certificates in Container Platform
See also Secrets
cert=k8s_nop_wildcard
kubectl create secret tls xxxxx \
--cert=$cert.pem \
--key=$cert.key \
--dry-run=client -o yaml \
> $cert.yaml
Troubleshooting
Check if keys match
https://www.sslshopper.com/certificate-key-matcher.html
You can use this the following commands to check whether a private key matches a certificate or whether a certificate matches a certificate signing request (CSR)
ALIAS=dev-docu.intra
CERT=$ALIAS.pem
CSR=$ALIAS.csr
KEY=$ALIAS.key
openssl pkey -in $KEY -pubout -outform pem | sha256sum
openssl x509 -in $CERT -pubkey -noout -outform pem | sha256sum
openssl req -in $CSR -pubkey -noout -outform pem | sha256sum
Get Key failed: Given final block not properly padded
We have seen that using graphical keytool
may not work, thus use command line