The following is a guide on how to generate a self-signed TLS certificate configured with IP SAN field using OpenSSL.
I am working on setting up a Kubernetes cluster using Rancher on a set of VirtualBox VMs managed by Vagrant to run applications in Docker containers. Woah — that’s a mouthful! While this is one somewhat complicated case, there are lots of other reasons you may want to create a self-signed certificate.
Obviously, you never want to run with a self-signed cert in production, but you can use them to run and test Apache web servers, Nginx, Express.js servers, and many more.
So how do I create a self signed certificate for an IP Address?
- Create a certificate request configuration file that uses a Subject Alternate Name.
- Use OpenSSL
reqcommand to gerenate the certificate.
- Verify the certificate content
- Install the certificate to your server (Apache, Express, private Docker registry, etc…)
One of the fun things I need to do for my current project is to set up the private Docker registry on one VM node that all the other VM nodes can pull images from. I am setting up a test environment, so I could configure it as an insecure Docker registry, however, since I will need to set up the registry in production with a real cert at some point, I decided to get the registry working using a self-signed cert instead. To do this we will use openssl.
There are other methods to achiveve this; this is only one method. To get the self signed cert to work with just an IP (not a domain name), we will specify a subject alternative name (SAN) for the IP.
- Create a request configuration file as follows (this is just a plain text file — and you can name it whatever you like):
default_bits = 4096
default_md = sha256
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
C = US
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = 192.168.13.10
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
IP.1 = 192.168.13.10
The two key things you need to be concerned about are the CN field and the alt_names section at the bottom.
The CN field needs to be the IP address of the server, in my case the VM running the private Docker registry. The alt_names section must have an entry with the IP address.
- Generate the certificate and private key using the config file you created above:
openssl req -new -nodes -x509 -days 365 -keyout domain.key -out domain.crt -config <path/to/req/file/from/above>
- Verify the certificate has an IP SAN by running the following command:
openssl x509 -in domain.crt -noout -text
This will output the contents of the cert for you to inspect. While there is a lot there, you are looking for a couple lines like this:
X509v3 Subject Alternative Name:
Now you can install the self-signed cert into the application/server you are trying to run. For me, this is the Docker registry, but could be an Apache web server, a Node Express.js server, etc.
#reads #ezra bowman #openssl #certificate authority