Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?

Create Root CA and Server Certificate

Docs:

Create the Root Certificate (Done Once)

Create the Root Private Key

$ openssl genrsa -out root-key.pem 2048

Create the Root Certificate Authority

$ openssl req -x509 -new -nodes \
          -key root-key.pem \
          -sha256 -days 1024 \
          -out root-ca.pem \
          -subj "/C=US/ST=California/L=Palo Alto/O=Pivotal Software, Inc./OU=Pivotal Demos/CN=Pivotal Demos Root CA/emailAddress=pcrocker@pivotal.io"

Verify the Root Certificate Authority

$ openssl x509 -text -in root-ca.pem

Create Server Certificate (Once Per PCF Installation)

Copy your default openssl.cnf file to a temporary openssl-san.cnf file

$ cp /usr/local/etc/openssl/openssl.cnf openssl-san.cnf

Edit the openssl-san.cnf file to add additional required parameters:

[ req ]
req_extensions = v3_req # The extensions to add to a certificate request

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.stratus.pcfdemo.com
DNS.2 = *.cfapps.stratus.pcfdemo.com
DNS.3 = *.sys.stratus.pcfdemo.com
DNS.4 = *.login.system.stratus.pcfdemo.com
DNS.5 = *.uaa.system.stratus.pcfdemo.com
DNS.6 = *.pks.stratus.pcfdemo.com

Create the Server Private Key

$ openssl genrsa -out server-key.pem 2048

Create Server Certificate Signing Request

$ openssl req -sha256 -new \
          -key server-key.pem \
          -out server-csr.pem \
          -config openssl-san.cnf \
          -subj "/C=US/ST=California/L=Palo Alto/O=Pivotal Software, Inc./OU=Pivotal Demos/CN=*.stratus.pcfdemo.com/emailAddress=pcrocker@pivotal.io"

Verify multiple SANs in your CSR

$ openssl req -text -noout -in server-csr.pem

Create Server Certificate Signed by the Root CA

$ openssl x509 -req \
          -in server-csr.pem \
          -CA root-ca.pem \
          -CAkey root-key.pem \
          -CAcreateserial \
          -out server-cert.pem \
          -days 500 -sha256 \
          -extensions v3_req \
          -extfile openssl-san.cnf

Verify multiple SANs in your Certificate

$ openssl x509 -text -in server-cert.pem
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment