In a previous post I already talked about protecting your VCHs with TLS, but it lacks a process on how to generate your own Certificate Signing Request (CSR), which can be used to request a valid certificate from an internal or public Certificate Authority (CA), keep in mind it’s not intended to be a definitive guide, certificate is a wider subject with a lot of options that can be leveraged, like encryption methods, key size, certificate requirements, etc.. with that said, use at your own risk and make sure to test it before going into production.
I will use Openssl tool to generate an RSA Private Key and CSR, if you don’t have it yet download and install it first, it has a version available for each of the popular O.S.
For the purpose of this example, my VCH will be named vch01, defining a name for your VCH is important for the certificate specifications like common name, make sure you adjust it accordingly when creating your owns.
The certificate requirements for VCH are:
- an X.509 certificate
- KeyEncipherment
- DigitalSignature
- KeyAgreement
- ServerAuth
Let’s start creating a directory where we will store our files
Run: mkdir /tmp/vch01
To make things easier I created a configuration file where I added all the certificate settings, it could also be used as a template for future requests
Run: vi /tmp/vch01/vch01.cnf
Add the fields as the screen bellow, updating the fields related to your environment
Now let’s create our RSA Private Key, this key will be used to signed the CSR
Run: openssl genrsa -des3 -out vch01.key 2048 pkcs8
The options on this command are:
- des3 is the cryptographic method
- 2048 is the size of private key
- pcks8 is the standard syntax for storing information
VIC does not support PCKS#1, so if you have a key like that convert it before proceed.
To make sure the key is OK
Run: openssl rsa -in /tmp/vch01/vch01.key -check
By default the key is encrypted and some applications does not support it, such as VIC, so to proceed we need to remove the passphrase from it to avoid issues when creating your VCHs
Run: openssl rsa -in vch01.key -out newvch01.key
Now that we have our private key we can generate the CSR.
Run: openssl req -new -key newvch01.key -out vch01.csr -config vch01.cnf
Since we are using a config file to provide the certificate information, nothing will be prompted but the key passphrase
The syntax on this command contains:
- -key; which specified what key to use to sign the CSR;
- -out; csr output file;
- -config; the configuration file with certificate details;
Before sending the CSR to your CA check if it contains the information you need
Run: openssl req -in vch01.csr -noout -text
If everything is fine you can send it to your CA in order to generated a signed certificate.
Once you get your signed certificate back is just a matter of creating your VCH with the certificate as I stated on Protecting your VCH post.
At this point the process of generating your CSR is done, but if either you don’t plan on having your certificate signed by a CA or wish to test your new implementation while the CA is signing your certificate what you need then is to self sign your own certificate.
Self-signed certificate can also be done with openssl, you only need a RSA key and a CSR, which we just created so we are good to go.
To generate a self-signed certificate which is good for 365 days, issue the following command
Run: openssl x509 -req -days 365 -in vch01.csr -signkey vch01.key -out vch01.pem
That's it, you now have your self signed certificate to create your VCHs.
ProTips:
- The certificate process wen fine but during the VCH creation you got the following error:
ERROR Failed to parse certificate: tls: failed to parse private key
ERROR Unable to load certificates: tls: failed to parse private key
ERROR --------------------
ERROR vic-machine-linux create failed: tls: failed to parse private key
It’s just because your key is encrypted, you need to remove the passphrase from the key, check the steps above on how to remove passphrases from your key.
- Once your VCH is created with a self-signed, the CA cert will be the same as your server certificate, just create a copy of it and name it ca.pem, otherwise when you try to communicate with your host you will got the certificate signed by unkown authority error message
x509: certificate signed by unknown authority
That's all folks.....
