Create Private Keys and Certificates for Ingress Gateway and Egress Gateway
This section describes how to create private keys and certificates in NSSF.
Creating Private Key and Certificates to enable https
To create private keys and certificates:
- Generate RSA private key by executing the following
command:
openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout rsa_private_key -out rsa_certificate.crt
- Convert private key to .pem format by executing the following
command:
openssl rsa -in rsa_private_key -outform PEM -out rsa_private_key_pkcs1.pem
- Generate certificate using the private key by executing the
following
command:
openssl req -new -key rsa_private_key -out ocegress.csr -config ssl.conf
Note:
Thessl.conf
can be used to configure default entries along with storage area network (SAN) details for your certificate.A sample of thessl.conf
is provided below:#ssl.conf [ req ] default_bits = 4096 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = IN stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Karnataka localityName = Locality Name (eg, city) localityName_default = Bangalore organizationName = Organization Name (eg, company) organizationName_default = Oracle commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 commonName_default = localhost [ req_ext ] subjectAltName = @alt_names [alt_names] IP = 127.0.0.1 DNS.1 = localhost
- Create root certificate authority (CA) by executing the following
set of commands:
openssl req -new -keyout cakey.pem -out careq.pem openssl x509 -signkey cakey.pem -req -days 3650 -in careq.pem -out caroot.cer -extensions v3_ca echo 1234 > serial.txt
- Sign the server certificate with root CA private key by executing
the following
command:
openssl x509 -CA caroot.cer -CAkey cakey.pem -CAserial serial.txt -req -in ocegress.csr -out ocegress.cer -days 365 -extfile ssl.conf -extensions req_ext
Note:
The ssl.conf file must be reused, as SAN contents is not packaged when signing.
- Create key.txt by entering any password.
- Create trust.txt by entering any password.
Creating a Secret
Note: User must create a secret for database access before deploying NSSF.
To create a secret:
- Execute
kubectl get namespace
to list the namespaces. - If name space does not exist, create a new namespace by executing
the following command:
kubectl create namespace <NameSpace>
where:
namespace is the deployment namespace used by the helm command.
- Generate secret out of the keys and certificates by executing the
following
command:
kubectl create secret generic k8SecretName --from- file=rsa_private_key_pkcs1.pem --from-file=trust.txt -- from-file=key.txt --from-file=ocegress.cer --from-file=caroot.cer -n k8NameSpace
where:
k8NameSpace is the deployment namespace used by the helm command.
k8SecretName is the name of secret generated.
Example:
kubectl create secret generic accesstoken-secret --from- file=rsa_private_key_pkcs1.pem --from-file=trust.txt --from-file=key.txt --from-file=ocegress.cer --from-file=caroot.cer -n ocnssf