geoffwilliams@home:~$

Lab CA

Lots of stuff we do in the lab needs a self-issued TLS certificate. Here’s how you can generate your own TLS chain of trust for testing(!).

This guide is intentionally terse and assumes knowledge of public key cryptography

CA Key and Certificate

openssl genrsa -out lab_ca.key.pem 4096
openssl req -x509 -new -nodes -key ./lab_ca.key.pem -sha256 -days 3650 -out lab_ca.crt.pem -subj '/CN=Lab Root CA/C=AU/ST=NSW/L=Sydney/O=RESEARCH'

# inspect the CA cert
openssl x509 -in lab_ca.crt.pem -text

Server certificate

A wildcard certificate is good enough for most lab scenarios.

Generate CSR:

openssl req -new -nodes -out lab_wildcard.csr.pem -newkey rsa:4096 -keyout lab_wildcard.key.pem -subj '/CN=*.lab.asio/C=AU/ST=NSW/L=Sydney/O=RESEARCH'

# inspect CSR
openssl req -in lab_wildcard.csr.pem -text

Sign certificate and add inline v3 ext file for SAN properties

Certificate CN is no longer the right place for wildcard information, it should be in Subject Alternative Names (SAN) to keep browsers happy. More info: https://www.rfc-editor.org/rfc/rfc9525.html.

We can add this while sighing the certificate:

openssl x509 -req -in lab_wildcard.csr.pem -CA lab_ca.crt.pem -CAkey lab_ca.key.pem -CAcreateserial -out lab_wildcard.crt.pem -days 3650 -sha256 -extfile <(cat << EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.lab.asio
EOF
)

# inspect signed certificate
openssl x509 -in lab_wildcard.crt.pem -text

That should be good for a few years!

Troubleshooting

Above will generate the “new” private key format which doesn’t always work everywhere:

to convert to the old format - DANGER - overwrites original:

ssh-keygen -p -m PEM -f lab_wildcard.key.pem

otherwise generate with --traditional

MDS keypair for Confluent Platform (nothing to do with this CA)

Bonus for those working with Confluent Platform and cp-ansible:

# has to be in the old format
openssl genrsa --traditional -out mds_creds/mdsTokenKeyPair.pem 2048
openssl rsa -in mds_creds/mdsTokenKeyPair.pem -outform PEM -pubout -out mds_creds/mdsPublicKey.pem

Post comment

Markdown is allowed, HTML is not. All comments are moderated.