Manually create certificates and certificate signing request

Posted on August 15, 2021 by Adrian Wyssmann ‐ 2 min read

As we don't have an automated certificate management 😭 we have to create certificates and Certificate signing request manually. If you are in the same boat, this information might help you.

Life would be so much easier with an automated certificate management 😭

How to create a SSL certificate

  1. Set environment variables

  2. Create a config file

    cat > $CFGFILE << EOF
    distinguished_name = req_distinguished_name
    req_extensions = v3_req
    prompt = no
    C = CH
    O = Wyssmann Engineering
    CN = $CN.intra
    keyUsage = keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth
    subjectAltName = @alt_names
    DNS.1 = $CN
    DNS.2 = $CN.intra
  3. Generate private key

    openssl genrsa -out $CN.intra.key 2048

    Ensure you store your private key somewhere safe.

  4. Generate certificate signing request

    openssl req -new -key $CN.intra.key -out $CN.intra.csr -config $CFGFILE
  5. Check the csr for correctness, especially the CN

    openssl req -in $CN.intra.csr -noout -text
  6. Submit request to your to your CA in order to get your signed certificate

  7. Once the certificate is received, create a public/private keypair

    openssl pkcs12 -export -inkey $KEY -in $CERT  -out $ALIAS.p12
  8. If you need these certificates with Java, you might need to create a Java Keystore

    keytool -importkeystore -srckeystore $ALIAS.p12  -srcstoretype PKCS12 -destkeystore $ALIAS.jks -deststoretype jks

Certificates in Container Platform

See also Secrets

kubectl create secret tls xxxxx \
--cert=$cert.pem \
--key=$cert.key \
--dry-run=client -o yaml \
> $cert.yaml


Check if keys match

You can use this the following commands to check whether a private key matches a certificate or whether a certificate matches a certificate signing request (CSR)

openssl pkey -in $KEY -pubout -outform pem | sha256sum
openssl x509 -in $CERT  -pubkey -noout -outform pem | sha256sum
openssl req -in $CSR  -pubkey -noout -outform pem | sha256sum

Get Key failed: Given final block not properly padded

We have seen that using graphical keytool may not work, thus use command line