Skip to content

Instantly share code, notes, and snippets.

@jgreat

jgreat/self-signed.md

Last active June 26, 2018 15:47
Show Gist options
  • Save jgreat/4a36a681f439c426afb02b261aebfa21 to your computer and use it in GitHub Desktop.
Save jgreat/4a36a681f439c426afb02b261aebfa21 to your computer and use it in GitHub Desktop.
Download ZIP
Create a self signed cert.
Raw
self-signed.md

CA

First we need to generate a CA for signing the website certs.

Generate CA Private Key

openssl genrsa -out ca.key 2048

Generate and Sign the CA Cert.

openssl req -x509 -new -nodes -key ca.key -sha256 -days 1024 -out cacerts.pem

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Tennessee
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyOrg
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:MyOrg CA
Email Address []:

Client Cert

Now that we have a CA cert and key, we will generate a cert the hostname rancher.my.org.

Generate Client Key

openssl genrsa -out tls.key 2048

Genrate a Certificate Request

The only field that is actually important is the Common Name this must be set to the domain name you are using.

openssl req -new -key tls.key -out tls.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Tennessee
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyOrg
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:rancher.my.org
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Sign the Cert Request

openssl x509 -req -in tls.csr -CA cacerts.pem -CAkey ca.key -CAcreateserial -out tls.crt -days 500 -sha256

Populate cluster.yaml

You should now have all the cert files that you need to launch Rancher. Encode the contents with base64 and copy/paste them into the rke cluster.yaml.

  • base64 -w0 tls.key
  • base64 -w0 tls.crt
  • base64 -w0 cacerts.pem
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment