TLS Connections and How to Generate Your Own Certificate Authority and Signed Server Certificates
Created by: Barry Mosakowski and Mark Parzygnat
Pre-Reqs: jq, openssl
In today’s deployment of applications with microservices there is always the factor of the tls connection. The failure of a tls handshake can greatly slowdown your development, QA, and production rollouts and promotions of your environments. As products move more towards microservices and container-based solutions, such as IBM Cloud Paks, this problem only grows in complexity as the number of components requiring a tls handshake grows.
Quite often you will want to “bring your own certs” to the environmental deployment. In some cases, this may be for a specific environment as a cost saving measure or it may be across your environments based on using a CA that has earned a high level of trust. The two approaches generally used are purchasing the certificates from a well-known Certificate Authority (CA), such as Verisign, and the other case is to create your own internal Certificate Authority and sign internal requests using your own CA. The code provided is designed to do the latter, create your own organizational Certificate Authority.
Thus, we are here to help, and have developed a tool that will help you mitigate this problem by generating the keys and x.509 certificates needed for tls. The tool creates a CA and allows you to add as many clients and servers as you desire with the end result being a signed certificate to use in your tls connection. The cryptographic material generated allows for both tls server authentication as well as mutual authentication based on your implementation. All clients and servers maintain their private key, certificate signing request, and public certificate in a folder created specifically for this entity.
The tool provides several options including:
- Clean up and removal of all folders in your directory
- Easy to define certs with configuration file
- Adding clients and servers after an initial deployment.
The default material generated is based on the cryptographic material needed by the Cloud Pak for Integration when a customer desires to bring their own crypto material. Here is a sample tree of the output.
The tools name is buildCrypto.sh and has a useful help command. We also include a sample json configuration file, config.json, to easily identify the client and server certificates you want to create. In addition there is a second configuration file, called myserver.cnf needed by openssl to create the certificates.
See all the details on how to use the script and get the script for yourself at https://github.com/bmos299/CertificateGenerator
Here is a sample of the option available via the help option.
Note: This is not an officially supported tool, but it’s free to use however you wish.