Create Certificates Locally using openssl¶
You can use openssl to locally create certificates suitable for use in a lab environment.
Note
Ensure the certificates have RSA key length >= 2048 bits. The
StarlingX Release r9.0 provides a new version of openssl
which
requires a minimum of 2048-bit keys for RSA for better security / encryption
strength.
You can check the key length by running openssl x509 -in <the certificate file> -noout -text
and looking for the “Public-Key” in the output.
Procedure
Create a Root CA Certificate and Key
Create the Root CA private key.
$ openssl genrsa -out my-root-ca-key.pem 2048
Generate the Root CA x509 certificate.
$ openssl req -x509 -new -nodes -key my-root-ca-key.pem \ -days 1024 -out my-root-ca-cert.pem -outform PEM
Create and Sign a Server Certificate and Key.
Create the Server private key.
$ openssl genrsa -out my-server-key.pem 2048
Create the Server certificate signing request (csr).
Specify “CN=registry.local” and do not specify a challenge password.
$ openssl req -new -key my-server-key.pem -out my-server.csr
Create the SANs list.
$ echo subjectAltName = IP:<WRCP-OAM-Floating-IP>,IP:<WRCP-MGMT-Floating-IP>,DNS:registry.local,DNS:registry.central > extfile.cnf
Use the my-root-ca to sign the server certificate.
$ openssl x509 -req -in my-server.csr -CA my-root-ca-cert.pem \ -CAkey my-root-ca-key.pem -CAcreateserial -out my-server-cert.pem \ -days 365 -extfile extfile.cnf
Put the server certificate and key into a single file.
$ cat my-server-cert.pem my-server-key.pem > my-server.pem