Home
Posts

Create Self Signed certificate in AKS.

You can run everything in single commands but it's good to do it stepwise as it is helpful in debugging and future updates. Self-signed certificates are considered insecure for the Internet. Some browsers may act as plain connections for HTTP.

Overview:
  1. Linux Command Line with OpenSSL package.
  2. Create a private key with a passphrase.
 
CSR contains all the information that is needed to configure the certificate. We use a private key with CSR to sign the certificate. 

CSR (Certificate Signing Request): It contains the public key that will be used in the SSL/TLS certificate, along with information about the entity requesting the certificate (such as the domain name and organization). This information is used by the CA to verify the identity of the requester. 

SAN (Subject Alternative Name): It's an extension to the X.509 specification that allows additional identities to be bound to a certificate. This means that a single certificate can be valid for multiple hostnames or domain names. SAN is commonly used in SSL/TLS certificates to secure multiple domains or subdomains with a single certificate. The SAN is part of the certificate and must match the actual domain names used to access the website or service. 

Note: SAN should match the domain name for which we are creating a certificate. Common Name should be different from the other certificate of an application 


Generate Private Key
openssl genrsa -des3 -out domain.key 2048
 Create Config file with necessary details.

[ req ]
default_md = sha256
prompt = no
req_extensions = req_ext
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
C = IN
ST = Gujarat
L = Ahmedabad
O = Itblizz
OU = Dev Test
CN = Common Name
emailAddress = email@abc.com

[ req_ext ]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[ alt_names ]
IP.0 = 10.20.30.40
DNS.0 = email@abc.com
DNS.1 = admin.email@abc.com
Created CSR Command.
openssl req -key domain.key -new -out domain.csr -config config-file.cfg 

Verify the content of CSR file

openssl req -text -noout -verify -in domain.csr

Here we have 2 option. 
  • We can sign directly or
  • We give our CSR to Root CA.  (Applicable for big private infrastructure).
Remove the passphrase from the key.
 

References

 openssl rsa -in domain2.key -out abc-new.key

Copy to some specific server.
scp abc.pem username@hostname:/home/


base64 -w 0 abc.cer
echo "key" | base64 --decode

Post a Comment