Creating Private Keys and Certificates for Ingress Gateway and Egress Gateway
This chapter describes how to create private keys and certificates in PCF.
Creating Private Keys and Certificates
To create private keys and certificates:
- Generate RSA private key
by executing the following command:
openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout rsa_private_key -out rsa_certificate.crt
- Convert private key to
.pem format by executing the following command:
openssl rsa -in rsa_private_key -outform PEM -out rsa_private_key_pkcs1.pem
- Generate certificate using
the private key by executing the following command:
openssl req -new -key rsa_private_key -out ocegress.csr -config ssl.conf
Note:
The ssl.conf can be used to configure default entries along with storage area network (SAN) details for your certificate.A sample of the ssl.conf is provided below:#ssl.conf [ req ] default_bits = 4096 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = IN stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Karnataka localityName = Locality Name (eg, city) localityName_default = Bangalore organizationName = Organization Name (eg, company) organizationName_default = Oracle commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 commonName_default = localhost [ req_ext ] subjectAltName = @alt_names [alt_names] IP = 127.0.0.1 DNS.1 = localhost
- Create root certificate
authority (CA) by executing the following set of commands:
openssl req -new -keyout cakey.pem -out careq.pem
openssl x509 -signkey cakey.pem -req -days 3650 -in careq.pem -out caroot.cer -extensions v3_ca
echo 1234 > serial.txt
- Sign the server
certificate with root CA private key by executing the following command:
openssl x509 -CA caroot.cer -CAkey cakey.pem -CAserial serial.txt -req -in ocegress.csr -out ocegress.cer -days 365 -extfile ssl.conf -extensions req_ext
Note:
The ssl.conf file must be reused, as SAN contents is not packaged when signing. - Create key.txt by entering any password.
- Create trust.txt by entering any password.
Creating a Secret
Note:
You should create a secret for database access before deploying PCF.To create a secret:
- Create namespace by
executing the following command:
kubectl create ns NameSpace
where:namespace is the deployment namespace used by the helm command.
- Generate secret out of the
keys and certificates by executing the following command:
kubectl create secret generic k8SecretName --from-file=rsa_private_key_pkcs1.pem --from-file=trust.txt --from-file=key.txt --from-file=ocegress.cer --from-file=caroot.cer -n k8NameSpace
where:k8NameSpace is the deployment namespace used by the helm command.
k8SecretName is the name of secret generated.
For example:kubectl create secret generic pcf-gateway-secret --from-file=rsa_private_key_pkcs1.pem --from-file=trust.txt --from-file=key.txt --from-file=ocegress.cer --from-file=caroot.cer -n pcf