Generating SSL Certificates

8.3 Generating SSL Certificates

This section should only be followed if you want to configure your ingress for SSL.

For production environments it is recommended to use a commercially available certificate, traceable to a trusted Certificate Authority. For sandbox environments, you can generate your own self-signed certificates.

Using a Third Party CA for Generating Certificates

If you are configuring the ingress controller to use SSL, you must use a wildcard certificate to prevent issues with the Common Name (CN) in the certificate. A wildcard certificate is a certificate that protects the primary domain and it's sub-domains. It uses a wildcard character (*) in the CN, for example *.yourdomain.com.

How you generate the key and certificate signing request for a wildcard certificate will depend on your Certificate Authority. Contact your Certificate Authority vendor for details.

In order to configure the ingress controller for SSL you require the following files:

The private key for your certificate, for example oig.key.
The certificate, for example oig.crt in PEM format.
The trusted certificate authority (CA) certificate, for example rootca.crt in PEM format.
If there are multiple trusted CA certificates in the chain, you need all the certificates in the chain, for example rootca1.crt, rootca2.crt etc.

Once you have received the files, perform the following steps:

On the administrative host, create a $WORKDIR>/ssl directory and navigate to the folder:
```
mkdir $WORKDIR>/ssl
```
```
cd $WORKDIR>/ssl
```
Copy the files listed above to the $WORKDIR>/ssl directory.
If your CA has multiple certificates in a chain, create a bundle.pem that contains all the CA certificates:
```
cat rootca.pem rootca1.pem rootca2.pem >>bundle.pem
```

Using Self-Signed Certificates

On the administrative host, create a $WORKDIR>/ssl directory and navigate to the folder:
```
mkdir $WORKDIR/ssl
```
```
cd $WORKDIR/ssl
```

Run the following command to create the self-signed certificate:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout oig.key -out oig.crt -subj "/CN=<hostname>"

For example:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout oig.key -out oig.crt -subj "/CN=oig.example.com"

The output will look similar to the following:

Generating a 2048 bit RSA private key
..........................................+++
.......................................................................................................+++
writing new private key to 'oig.key'
-----

Creating a Kubernetes Secret for SSL

Run the following command to create a Kubernetes secret for SSL:

kubectl -n mynginxns create secret tls <domain_uid>-tls-cert --key $WORKDIR/ssl/oig.key --cert $WORKDIR/ssl/oig.crt

Note:

If you have multiple CA certificates in the chain use --cert <workdir>/bundle.crt.

For example:

kubectl -n mynginxns create secret tls governancedomain-tls-cert --key /OIGK8S/ssl/oig.key --cert /OIGK8S/ssl/oig.crt

The output will look similar to the following:

secret/governancedomain-tls-cert created