Antony: first draft

2021-11-09T18:33:25Z

first draft

New page

This needs formatting

ssh into the demo server deploy node as root

cd dt-certs

in this folder there are lots of certs and the key files which are the CA the most important ones are

define-technology.com_CA.key - PRIVATE KEY DO NOT EXPOSE
ca_passphrase - PRIVATE KEY passphrase DO NOT EXPOSE
define-technology.com_CA.pem - public cert this is on our website to allow us to curl it to make adding it to customer machines trivial

step one make a private key for your new https cert (
this should be done on the machine you are wanting to install the cert on, in this instance this is actually the demo server deploy node so I'm following my own rules for once)

the filename is the hostname here but it DOES NOT MATTER it could be banana

openssl genrsa -out deploy.mgmt.dt.internal.key 4096

you now have a keyfile with no passphrase (you can add one if you like but if you do you will probably end up embedding it in plaintext ins a config file at some point... and not everything supports it so if you want this RTFM)

step 2 make a Certificate Signing Request file

In this step we take the private key created in the previous step and set the subject of the key in which the CommonName (CN) should be the primary hostname of the server in this case I am using deploy.mgmt.dt.internal

openssl req -new -key deploy.mgmt.dt.internal.key -out deploy.mgmt.dt.internal.csr -subj "/C=UK/ST=London/O=Define Technology/CN=deploy.mgmt.dt.internal"

deploy.mgmt.dt.internal.key is the keyfile from step one
deploy.mgmt.dt.internal.csr is the csr file we are creating
"/C=UK/ST=London/O=Define Technology/CN=deploy.mgmt.dt.internal" is the subject C= country, ST=State O=Organistaion, CN= CommonName if you wanted to customise it for a customer feel free. /C=US,ST=WA,O=PNNL,CN=deploy.hanford-legacy.internal" is valid too

Step 3

email the csr file to yourself, upluad it via ftp or share it on your website it's got no private data in it we just need to get it to the node with the CA key

here it is in the right place already and this is where we add any extra hostname as subjectaltnames. It is best to include the one you want as some webapps like zabbix expect it.

openssl x509 -req -in deploy.mgmt.dt.internal.csr -CA define-technology.com_CA.pem -CAkey define-technology.com_CA.key -passin file:ca_passphrase -CAcreateserial -out deploy.mgmt.dt.internal.crt -days 365 -sha256 -extfile <(printf 'subjectAltName=DNS:cephmgr.mgmt.dt.internal,DNS:localhost,IP:10.10.13.1,IP:10.10.12.13,IP:10.10.12.14,IP:10.10.13.13,IP:10.10.13.14')
Signature ok
subject=C = UK, ST = London, O = Define Technology, CN = deploy.mgmt.dt.internal
Getting CA Private Key

add explanation here later

This makes the .crt file, this is useless without the key which is still on the customers system so you can send it via pastebin for a laugh

here it's on my system I want to add it to ceph-mgr so I do this:

cephadm shell --mount /root/dt-certs -- ceph dashboard set-ssl-certificate -i /mnt/dt-certs/deploy.mgmt.dt.internal.crt
cephadm shell --mount /root/dt-certs -- ceph dashboard set-ssl-certificate-key -i /mnt/dt-certs/deploy.mgmt.dt.internal.key

to put the cert an key in the right place in the container

and then

cephadm shell --mount /root/dt-certs -- ceph mgr module disable dashboard
cephadm shell --mount /root/dt-certs -- ceph mgr module enable dashboard

Linux: Using the Define-Technology.com CA - Revision history

Antony: first draft