Lab 12.1 - Generate TLS Certificates

1. Log in as the admin user and switch to the default project

oc login -u admin -p rahasia https://api.openshift.podX.io:6443
oc project default

2. Testing the URLs using CURL

curl https://api.openshift.podX.io:6443
curl -k https://api.openshift.podX.io:6443
curl https://console-openshift-console.apps.openshift.podX.io
curl -k https://console-openshift-console.apps.openshift.podX.io

3. Generate CA certificate and CA.key

mkdir certificate && cd certificate
openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA-crt.pem
ls

# Common name: openshift.podX.io

4. Generate wildcard.key and wildcard certificate

openssl genrsa -out wildcard.key 2048
vim certificate.conf
...
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.apps.openshift.podX.io
DNS.2 = api.openshift.podX.io
...

openssl req -new -key wildcard.key -out wildcard.csr
ls

# Common name: *.openshift.podX.io

5. Sign wildcard certificate with rootCA

openssl x509 -req -extensions v3_req -days 365 -in wildcard.csr -CA rootCA-crt.pem -CAkey rootCA.key -CAcreateserial -out wildcard-crt.pem -extfile certificate.conf -sha256
openssl x509 -in wildcard-crt.pem -noout -subject -issuer -ext 'subjectAltName'

6. Update CA certificate into node

cp rootCA-crt.pem /etc/pki/tls/certs/
cp rootCA-crt.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust

7. Combine wildcard CA and rootCA

cat wildcard-crt.pem rootCA-crt.pem > combined-cert.pem
cat combined-cert.pem 

Daftar Materi