João Freitas

The following is a guide on how to generate a self-signed TLS certificate configured with IP SAN field using OpenSSL.

I am working on setting up a Kubernetes cluster using Rancher on a set of VirtualBox VMs managed by Vagrant to run applications in Docker containers. Woah — that’s a mouthful! While this is one somewhat complicated case, there are lots of other reasons you may want to create a self-signed certificate.

Obviously, you never want to run with a self-signed cert in production, but you can use them to run and test Apache web servers, Nginx, Express.js servers, and many more.

So how do I create a self signed certificate for an IP Address?

  1. Create a certificate request configuration file that uses a Subject Alternate Name.
  2. Use OpenSSL req command to gerenate the certificate.
  3. Verify the certificate content
  4. Install the certificate to your server (Apache, Express, private Docker registry, etc…)

One of the fun things I need to do for my current project is to set up the private Docker registry on one VM node that all the other VM nodes can pull images from. I am setting up a test environment, so I could configure it as an insecure Docker registry, however, since I will need to set up the registry in production with a real cert at some point, I decided to get the registry working using a self-signed cert instead. To do this we will use openssl.

There are other methods to achiveve this; this is only one method. To get the self signed cert to work with just an IP (not a domain name), we will specify a subject alternative name (SAN) for the IP.

  1. Create a request configuration file as follows (this is just a plain text file — and you can name it whatever you like):
    default_bits = 4096
    default_md = sha256
    distinguished_name = req_distinguished_name
    x509_extensions = v3_req
    prompt = no
    C = US
    ST = VA
    L = SomeCity
    O = MyCompany
    OU = MyDivision
    CN =
    keyUsage = keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth
    subjectAltName = @alt_names
    IP.1 =

The two key things you need to be concerned about are the CN field and the alt_names section at the bottom.

The CN field needs to be the IP address of the server, in my case the VM running the private Docker registry. The alt_names section must have an entry with the IP address.

  1. Generate the certificate and private key using the config file you created above:
    openssl req -new -nodes -x509 -days 365 -keyout domain.key -out domain.crt -config <path/to/req/file/from/above>
  1. Verify the certificate has an IP SAN by running the following command:
    openssl x509 -in domain.crt -noout -text

This will output the contents of the cert for you to inspect. While there is a lot there, you are looking for a couple lines like this:

    X509v3 Subject Alternative Name:
    IP Address:

Now you can install the self-signed cert into the application/server you are trying to run. For me, this is the Docker registry, but could be an Apache web server, a Node Express.js server, etc.

#reads #ezra bowman #openssl #certificate authority