Skip to main content

Self Sign Certificates

Note

Chef Automate 4.10.1 released on 6th September 2023 includes improvements to the deployment and installation experience of Automate HA. Please read the blog to learn more about key improvements. Refer to the pre-requisites page (On-Premises, AWS) and plan your usage with your customer success manager or account manager.

What are Certificates?

A security certificate is a small data file used as an Internet security technique through which the identity, authenticity, and reliability of a website or web application are established.

To ensure optimal security, rotate the certificates periodically.

What are Self Signed Certificates?

A self-signed certificate is a digital certificate not signed by a publicly trusted certificate authority (CA). They are created, issued, and signed by the company or developer responsible for the website or software. The third party in such certificates does not validate the private keys. It is used in low-risk internal networks or the software development phase. So, you cannot revoke the CA-issues and the self-signed certificates.

Certificate Creation

You can create a self-signed key and certificate pair with the OpenSSL utility, a command-line tool for creating and managing OpenSSL certificates, keys, and other files.

Prerequisites

  • Install an OpenSSL utility.

Creating a Certificate

  1. Navigate to your bastion host, and make a new directory. For example, mkdir rotate-certs (directory name can be anything).

  2. cd rotate-certs then execute the below script.

    # !/bin/bash
    echo extendedKeyUsage = clientAuth, serverAuth > server_cert_ext.cnf
    echo subjectAltName = DNS:chefadmin >> server_cert_ext.cnf
    echo extendedKeyUsage = clientAuth, serverAuth > node_cert_ext.cnf
    echo subjectAltName = DNS:chefnode >> node_cert_ext.cnf 
    echo extendedKeyUsage = clientAuth, serverAuth > client_cert_ext.cnf
    echo subjectAltName = DNS:chefclient >> client_cert_ext.cnf
    
    openssl genrsa -out root-ca-key.pem 2048
    openssl req -new -x509 -sha256 -key root-ca-key.pem -subj "/C=US/ST=Washington/L=Seattle/O=Chef Software Inc/CN=progress" -out root-ca.pem -days 1095 -addext basicConstraints=CA:TRUE
    
    # Admin cert
    openssl genrsa -out admin-key-temp.pem 2048
    openssl pkcs8 -inform PEM -outform PEM -in admin-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out admin-key.pem
    openssl req -new -key admin-key.pem -subj "/C=US/ST=Washington/L=Seattle/O=Chef Software Inc/CN=chefadmin" -out admin.csr
    openssl x509 -req -in admin.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out admin.pem -days 1095 -extfile server_cert_ext.cnf
    
    # Node cert 1
    openssl genrsa -out node1-key-temp.pem 2048
    openssl pkcs8 -inform PEM -outform PEM -in node1-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node1-key.pem
    openssl req -new -key node1-key.pem -subj "/C=US/ST=Washington/L=Seattle/O=Chef Software Inc/CN=chefnode" -out node1.csr
    openssl x509 -req -in node1.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node1.pem -days 1095 -extfile node_cert_ext.cnf
    
    # Node cert 2
    openssl genrsa -out node2-key-temp.pem 2048
    openssl pkcs8 -inform PEM -outform PEM -in node2-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node2-key.pem
    openssl req -new -key node2-key.pem -subj "/C=US/ST=Washington/L=Seattle/O=Chef Software Inc/CN=chefnode" -out node2.csr
    openssl x509 -req -in node2.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out node2.pem -days 1095 -extfile node_cert_ext.cnf
    
    # Client cert
    openssl genrsa -out client-key-temp.pem 2048
    openssl pkcs8 -inform PEM -outform PEM -in client-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out client-key.pem
    openssl req -new -key client-key.pem -subj "/C=US/ST=Washington/L=Seattle/O=Chef Software Inc/CN=chefclient" -out client.csr
    openssl x509 -req -in client.csr -CA root-ca.pem -CAkey root-ca-key.pem -CAcreateserial -sha256 -out client.pem -days 1095 -extfile client_cert_ext.cnf
    
  3. The script generates the certificates at the newly created directory, rotate-certs in this case.

Note

  • To create self-signed certificate for FQDN make sure to provide proper DNS and CN value. The DNS in Subject Alternative Name should match with the CN (Common Name).
  • CN (Common Name) should be the same for all certificates in Opensearch nodes.

Note

Please refer OpenSearch certificate documentation
Edit this page on GitHub

Thank you for your feedback!

×