Manually create certificates and certificate signing request

Posted August 15, 2021 by Adrian Wyssmann ‐ 2 min read

As we don't have an automated certificate management 😭 we have to create certificates and Certificate signing request manually. If you are in the same boat, this information might help you.

Life would be so much easier with an automated certificate management 😭

How to create a SSL certificate

  1. Set environment variables

    CN=mycn
    CFGFILE=$CN.intra.conf
    
  2. Create a config file

    cat > $CFGFILE << EOF
    [req]
    distinguished_name = req_distinguished_name
    req_extensions = v3_req
    prompt = no
    [req_distinguished_name]
    C = CH
    O = Wyssmann Engineering
    CN = $CN.intra
    [v3_req]
    keyUsage = keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth
    subjectAltName = @alt_names
    [alt_names]
    DNS.1 = $CN
    DNS.2 = $CN.intra
    EOF
    
  3. Generate private key

    openssl genrsa -out $CN.intra.key 2048
    

    Ensure you store your private key somewhere safe.

  4. Generate certificate signing request

    openssl req -new -key $CN.intra.key -out $CN.intra.csr -config $CFGFILE
    
  5. Check the csr for correctness, especially the CN

    openssl req -in $CN.intra.csr -noout -text
    
  6. Submit request to your to your CA in order to get your signed certificate

  7. Once the certificate is received, create a public/private keypair

    ALIAS=$CN.intra
    CERT=$ALIAS.pem
    CSR=$ALIAS.csr
    KEY=$ALIAS.key
    openssl pkcs12 -export -inkey $KEY -in $CERT  -out $ALIAS.p12
    
  8. If you need these certificates with Java, you might need to create a Java Keystore

    keytool -importkeystore -srckeystore $ALIAS.p12  -srcstoretype PKCS12 -destkeystore $ALIAS.jks -deststoretype jks
    

Certificates in Container Platform

See also Secrets

cert=k8s_nop_wildcard
kubectl create secret tls xxxxx \
--cert=$cert.pem \
--key=$cert.key \
--dry-run=client -o yaml \
> $cert.yaml

Troubleshooting

Check if keys match

https://www.sslshopper.com/certificate-key-matcher.html

You can use this the following commands to check whether a private key matches a certificate or whether a certificate matches a certificate signing request (CSR)

ALIAS=dev-docu.intra
CERT=$ALIAS.pem
CSR=$ALIAS.csr
KEY=$ALIAS.key
openssl pkey -in $KEY -pubout -outform pem | sha256sum
openssl x509 -in $CERT  -pubkey -noout -outform pem | sha256sum
openssl req -in $CSR  -pubkey -noout -outform pem | sha256sum

Get Key failed: Given final block not properly padded

We have seen that using graphical keytool may not work, thus use command line