Creating Private Keys and Certificates for Ingress Gateway and Egress Gateway

This chapter describes how to create private keys and certificates in PCF.

Creating Private Keys and Certificates

To create private keys and certificates:
  1. Generate RSA private key by executing the following command: 
    openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout rsa_private_key -out rsa_certificate.crt
  2. Convert private key to .pem format by executing the following command: 
    openssl rsa -in rsa_private_key -outform PEM -out rsa_private_key_pkcs1.pem
  3. Generate certificate using the private key by executing the following command: 
    openssl req -new -key rsa_private_key -out ocegress.csr -config ssl.conf

    Note:

    The ssl.conf can be used to configure default entries along with storage area network (SAN) details for your certificate.
    A sample of the ssl.conf is provided below: 
    #ssl.conf
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext

[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = IN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Karnataka
localityName = Locality Name (eg, city)
localityName_default = Bangalore
organizationName = Organization Name (eg, company)
organizationName_default = Oracle
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = localhost

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
IP = 127.0.0.1
DNS.1 = localhost
  4. Create root certificate authority (CA) by executing the following set of commands: 
    openssl req -new -keyout cakey.pem -out careq.pem
    openssl x509 -signkey cakey.pem -req -days 3650 -in careq.pem -out caroot.cer -extensions v3_ca
    echo 1234 > serial.txt
  5. Sign the server certificate with root CA private key by executing the following command: 
    openssl x509 -CA caroot.cer -CAkey cakey.pem -CAserial serial.txt -req -in ocegress.csr -out ocegress.cer -days 365 -extfile ssl.conf -extensions req_ext

    Note:

    The ssl.conf file must be reused, as SAN contents is not packaged when signing.
  6. Create key.txt by entering any password.
  7. Create trust.txt by entering any password.

Creating a Secret

Note:

You should create a secret for database access before deploying PCF.
To create a secret:
  1. Create namespace by executing the following command: 
    kubectl create ns NameSpace
    where:

    namespace is the deployment namespace used by the helm command.

  2. Generate secret out of the keys and certificates by executing the following command: 
    kubectl create secret generic k8SecretName --from-file=rsa_private_key_pkcs1.pem --from-file=trust.txt --from-file=key.txt --from-file=ocegress.cer --from-file=caroot.cer -n k8NameSpace
    where:

    k8NameSpace is the deployment namespace used by the helm command.

    k8SecretName is the name of secret generated.

    For example: 
    kubectl create secret generic pcf-gateway-secret --from-file=rsa_private_key_pkcs1.pem --from-file=trust.txt --from-file=key.txt --from-file=ocegress.cer --from-file=caroot.cer -n pcf
Previous
Previous
Go To Table Of Contents
Contents