English

Manually create certificates and certificate signing request

Posted August 15, 2021 by Adrian Wyssmann ‐ 2 min read

pki certificates csr

As we don't have an automated certificate management 😭 we have to create certificates and Certificate signing request manually. If you are in the same boat, this information might help you.

Life would be so much easier with an automated certificate management 😭

How to create a SSL certificate

  1. Set environment variables

    CN=mycn
CFGFILE=$CN.intra.conf

  2. Create a config file

    cat > $CFGFILE << EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = CH
O = Wyssmann Engineering
CN = $CN.intra
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = $CN
DNS.2 = $CN.intra
EOF

  3. Generate private key

    openssl genrsa -out $CN.intra.key 2048

    Ensure you store your private key somewhere safe.

  4. Generate certificate signing request

    openssl req -new -key $CN.intra.key -out $CN.intra.csr -config $CFGFILE

  5. Check the csr for correctness, especially the CN

    openssl req -in $CN.intra.csr -noout -text

  6. Submit request to your to your CA in order to get your signed certificate

  7. Once the certificate is received, create a public/private keypair

    ALIAS=$CN.intra
CERT=$ALIAS.pem
CSR=$ALIAS.csr
KEY=$ALIAS.key
openssl pkcs12 -export -inkey $KEY -in $CERT  -out $ALIAS.p12

  8. If you need these certificates with Java, you might need to create a Java Keystore

    keytool -importkeystore -srckeystore $ALIAS.p12  -srcstoretype PKCS12 -destkeystore $ALIAS.jks -deststoretype jks

Certificates in Container Platform

See also Secrets

cert=k8s_nop_wildcard
kubectl create secret tls xxxxx \
--cert=$cert.pem \
--key=$cert.key \
--dry-run=client -o yaml \
> $cert.yaml

Troubleshooting

Check if keys match

https://www.sslshopper.com/certificate-key-matcher.html

You can use this the following commands to check whether a private key matches a certificate or whether a certificate matches a certificate signing request (CSR)

ALIAS=dev-docu.intra
CERT=$ALIAS.pem
CSR=$ALIAS.csr
KEY=$ALIAS.key
openssl pkey -in $KEY -pubout -outform pem | sha256sum
openssl x509 -in $CERT  -pubkey -noout -outform pem | sha256sum
openssl req -in $CSR  -pubkey -noout -outform pem | sha256sum

Get Key failed: Given final block not properly padded

We have seen that using graphical keytool may not work, thus use command line

← Upgrade istio, monitoring and logging from Rancher 2.4.x. to 2.5.x
Your first Kubernetes deployment →