Last active
October 16, 2020 05:12
Revisions
-
patrickcrocker revised this gist
Mar 6, 2018 . 1 changed file with 3 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -55,10 +55,11 @@ subjectAltName = @alt_names [alt_names] DNS.1 = *.stratus.pcfdemo.com DNS.2 = *.cfapps.stratus.pcfdemo.com DNS.3 = *.sys.stratus.pcfdemo.com DNS.4 = *.login.system.stratus.pcfdemo.com DNS.5 = *.uaa.system.stratus.pcfdemo.com DNS.6 = *.pks.stratus.pcfdemo.com ``` ### Create the Server Private Key -
Jan 10, 2018 . 1 changed file with 0 additions and 3 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -59,9 +59,6 @@ DNS.2 = *.apps.stratus.pcfdemo.com DNS.3 = *.system.stratus.pcfdemo.com DNS.4 = *.login.system.stratus.pcfdemo.com DNS.5 = *.uaa.system.stratus.pcfdemo.com ``` ### Create the Server Private Key -
Oct 4, 2016 . 1 changed file with 9 additions and 14 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -54,10 +54,14 @@ keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = *.stratus.pcfdemo.com DNS.2 = *.apps.stratus.pcfdemo.com DNS.3 = *.system.stratus.pcfdemo.com DNS.4 = *.login.system.stratus.pcfdemo.com DNS.5 = *.uaa.system.stratus.pcfdemo.com DNS.6 = *.dev.stratus.pcfdemo.com DNS.7 = *.test.stratus.pcfdemo.com DNS.8 = *.prod.stratus.pcfdemo.com ``` ### Create the Server Private Key @@ -73,7 +77,7 @@ $ openssl req -sha256 -new \ -key server-key.pem \ -out server-csr.pem \ -config openssl-san.cnf \ -subj "/C=US/ST=California/L=Palo Alto/O=Pivotal Software, Inc./OU=Pivotal Demos/CN=*.stratus.pcfdemo.com/emailAddress=pcrocker@pivotal.io" ``` ### Verify multiple SANs in your CSR @@ -101,12 +105,3 @@ $ openssl x509 -req \ ``` $ openssl x509 -text -in server-cert.pem ``` -
Mar 23, 2016 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,112 @@ ## Create Root CA and Server Certificate Docs: * http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html * http://wiki.cacert.org/FAQ/subjectAltName * http://apetec.com/support/GenerateSAN-CSR.htm * http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/ ## Create the Root Certificate (Done Once) ### Create the Root Private Key ``` $ openssl genrsa -out root-key.pem 2048 ``` ### Create the Root Certificate Authority ``` $ openssl req -x509 -new -nodes \ -key root-key.pem \ -sha256 -days 1024 \ -out root-ca.pem \ -subj "/C=US/ST=California/L=Palo Alto/O=Pivotal Software, Inc./OU=Pivotal Demos/CN=Pivotal Demos Root CA/emailAddress=pcrocker@pivotal.io" ``` ### Verify the Root Certificate Authority ``` $ openssl x509 -text -in root-ca.pem ``` ## Create Server Certificate (Once Per PCF Installation) ### Copy your default openssl.cnf file to a temporary openssl-san.cnf file ``` $ cp /usr/local/etc/openssl/openssl.cnf openssl-san.cnf ``` ### Edit the openssl-san.cnf file to add additional required parameters: ``` [ req ] req_extensions = v3_req # The extensions to add to a certificate request [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = *.apps.anvil.pcfdemo.com DNS.2 = *.system.anvil.pcfdemo.com DNS.3 = *.login.system.anvil.pcfdemo.com DNS.4 = *.uaa.system.anvil.pcfdemo.com ``` ### Create the Server Private Key ``` $ openssl genrsa -out server-key.pem 2048 ``` ### Create Server Certificate Signing Request ``` $ openssl req -sha256 -new \ -key server-key.pem \ -out server-csr.pem \ -config openssl-san.cnf \ -subj "/C=US/ST=California/L=Palo Alto/O=Pivotal Software, Inc./OU=Pivotal Demos/CN=*.apps.anvil.pcfdemo.com/emailAddress=pcrocker@pivotal.io" ``` ### Verify multiple SANs in your CSR ``` $ openssl req -text -noout -in server-csr.pem ``` ### Create Server Certificate Signed by the Root CA ``` $ openssl x509 -req \ -in server-csr.pem \ -CA root-ca.pem \ -CAkey root-key.pem \ -CAcreateserial \ -out server-cert.pem \ -days 500 -sha256 \ -extensions v3_req \ -extfile openssl-san.cnf ``` ### Verify multiple SANs in your Certificate ``` $ openssl x509 -text -in server-cert.pem ``` ### Upload server certificate to AWS ``` $ aws iam upload-server-certificate \ --server-certificate-name apps.anvil.pcfdemo.com \ --certificate-body file://server-cert.pem \ --private-key file://server-key.pem ```