Generating a self-signed certificate using OpenSSL

To generate a self-signed SSL certificate using the OpenSSL, complete the following steps:

1. Write down the Common Name (CN) for your SSL Certificate. The CN is the fully qualified name for the system that uses the certificate. For static DNS, use the hostname or IP address set in your Gateway Cluster (for example. 192.16.183.131 or dp1.acme.com).
2. Run the following OpenSSL command to generate your private key and public certificate. Answer the questions and enter the Common Name when prompted.
   openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
3. Review the created certificate:
   openssl x509 -text -noout -in certificate.pem
4. Combine your key and certificate in a PKCS#12 (P12) bundle:
   openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12
5. Validate your P2 file.
   openssl pkcs12 -in certificate.p12 -noout -info
   Once the certificate file is created, it can be uploaded to a keystore.
   
   link: https://www.ibm.com/docs/en/api-connect/10.0.1.x?topic=overview-generating-self-signed-certificate-using-openssl
   

Create a Certificate Authority Private Key and Public Certificate

The example below shows how to create a self-signed certificate. In a production environment, you should always use certificates signed by a Certificate Authority.

Option 1: Executing script to generate certs(recommend in Linux operation system)

write the below content to a file, such as “gencert.sh“, please note that update the file correspondingly before executing it.

#!/bin/bash

mkdir -p ssl

cat << EOF > ssl/req.cnf
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name

[req_distinguished_name]

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = dex.example.com
EOF

openssl genrsa -out ssl/ca-key.pem 2048
openssl req -x509 -new -nodes -key ssl/ca-key.pem -days 10 -out ssl/ca.pem -subj "/CN=kube-ca"

openssl genrsa -out ssl/key.pem 2048
openssl req -new -key ssl/key.pem -out ssl/csr.pem -subj "/CN=kube-ca" -config ssl/req.cnf
openssl x509 -req -in ssl/csr.pem -CA ssl/ca.pem -CAkey ssl/ca-key.pem -CAcreateserial -out ssl/cert.pem -days 10 -extensions v3_req -extfile ssl/req.cnf

Option 2：Use the command to generate certs step by step.

1. Generate CA files serverca.crt and servercakey.pem. This allows the signing of server and client keys:
   $ openssl genrsa -out servercakey.pem
   $ openssl req -new -x509 -key servercakey.pem -out serverca.crt
2. Create the server private key (server.crt) and public key (server.key):
   $ openssl genrsa -out server.key $ openssl req -new -key server.key -out server_reqout.txt
   $ openssl x509 -req -in server_reqout.txt -days 3650 -sha256 -CAcreateserial -CA serverca.crt -CAkey servercakey.pem -out server.crt
3. Create the client private key (client.crt) and public key (client.key):
   $ openssl genrsa -out client.key
   $ openssl req -new -key client.key -out client_reqout.txt
   $ openssl x509 -req -in client_reqout.txt -days 3650 -sha256 -CAcreateserial -CA serverca.crt -CAkey servercakey.pem -out client.crt
4. Set file permissions:$ chmod 700 server.crt server.key
   $ chmod 700 client.crt client.key
   
   Executing script to generate certs(recommend)
   
   Other Reference:
   https://github.com/dexidp/dex/blob/master/examples/k8s/gencert.sh?fireglass_rsn=true

Reference:

• https://github.com/dexidp/dex/blob/master/examples/grpc-client/cert-gen
• https://github.com/dexidp/dex/blob/master/examples/k8s/gencert.sh?fireglass_rsn=true

Generate private certificate locally based config file

1.Generate key file by below command

openssl genrsa -out plug_client_cert.key 4096

2.Create config file show as below:

[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt = no
[ req_distinguished_name ]
countryName                 = SG
stateOrProvinceName         = Singapore
localityName               = INFRA/APP
organizationName           = ABC Bank Ltd
commonName                 = <Domain Name>
organizationalUnitName     = EDSF
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   =  <Domain Name>
DNS.2   =  <Domain Name>

3.Generate CSR file based key and config file

openssl req -out plug_client_cert_qa.csr -newkey rsa:4096 -nodes -keyout plug_client_cert.key -config plug_client_qa.cnf

4.Generate finally CSR file

openssl req -noout -text -in plug_client_cert_qa.csr

Generate Kubernetes secret with above files:

k create secret tls cirrus.dell.com.tls -n auth --dry-run=server --cert=server.crt --key=server.key -oyaml > cirrus.dell.com.tls.yaml