self-signed-certificates¶
1 has certificate chain¶
1.1 has certificate chain (with intermediate)¶
- works for api gateway and alb
- http endpoint in integration request need this kind certificate, and also set
insecureSkipVerificationtotrue
mkdir myrootca
cd myrootca/
git clone https://github.com/OpenVPN/easy-rsa.git
# create root ca and no password
./easy-rsa/easyrsa3/easyrsa init-pki
./easy-rsa/easyrsa3/easyrsa build-ca nopass
cd ..
mkdir myinterca
cd myinterca/
ln -sf ../myrootca/easy-rsa
# create intermedia ca and no password
./easy-rsa/easyrsa3/easyrsa init-pki
./easy-rsa/easyrsa3/easyrsa build-ca subca nopass
# sign intermedia ca
cd ../myrootca/
./easy-rsa/easyrsa3/easyrsa import-req ../myinterca/pki/reqs/ca.req myinterca
./easy-rsa/easyrsa3/easyrsa sign-req ca myinterca
cp -i pki/issued/myinterca.crt ../myinterca/pki/ca.crt
cd ..
mkdir mycert
cd mycert
ln -sf ../myrootca/easy-rsa/
# create certificate req and no password
./easy-rsa/easyrsa3/easyrsa init-pki
./easy-rsa/easyrsa3/easyrsa gen-req mycert nopass
# Common Name --> poc.aws.panlm.xyz
# sign certificate
cd ../myinterca/
./easy-rsa/easyrsa3/easyrsa import-req ../mycert/pki/reqs/mycert.req mycert
./easy-rsa/easyrsa3/easyrsa sign-req server mycert
cp ./pki/issued/mycert.crt ../mycert/
cd ..
cd mycert
openssl x509 -inform PEM -in mycert.crt >mycert.pem
openssl rsa -in ./pki/private/mycert.key >mycert-key.pem
openssl x509 -inform PEM -in ../myinterca/pki/ca.crt >mycert-chain-interca.pem
openssl x509 -inform PEM -in ../myrootca/pki/ca.crt >mycert-chain-root.pem
# first pem is certificate body
# second pem is certificate private key
# rest of pems are certificate chain (last one should be root ca)
refer¶
- https://wavecn.com/content.php?id=334
- https://docs.aws.amazon.com/acm/latest/userguide/import-certificate-format.html
1.2 has certificate chain (root only)¶
- works for api gateway and alb
- http endpoint in integration request need this kind certificate, and also set
insecureSkipVerificationtotrue
mkdir mycert
cd mycert
git clone https://github.com/OpenVPN/easy-rsa.git
# create root ca and no password
./easy-rsa/easyrsa3/easyrsa init-pki
./easy-rsa/easyrsa3/easyrsa build-ca nopass
# create cert req
openssl genrsa -out my-server.key
openssl req -new -key my-server.key -out my-server.req
# Common Name --> *.aws.panlm.xyz
# display. if you want to modify, check the first link below
openssl req -in my-server.req -noout -subject
# sign cert
./easy-rsa/easyrsa3/easyrsa import-req my-server.req my-server
./easy-rsa/easyrsa3/easyrsa sign-req server my-server
# need root ca password
# convert to pem
openssl x509 -inform PEM -in pki/issued/my-server.crt >my-server.pem
openssl rsa -in my-server.key > my-server-key.pem
openssl x509 -inform PEM -in pki/ca.crt >my-server-chain.pem
# 3 pems for certificate body / certificate private key / certificate chain
refer¶
- How To Set Up and Configure a Certificate Authority (CA) On Ubuntu 20.04 | DigitalOcean
- https://github.com/OpenVPN/easy-rsa/blob/master/README.quickstart.md
2-no-certificate-chain-¶
- works for alb, not for api gateway
-
create self-signed certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt # ... need input Common Name at least openssl rsa -in privateKey.key -check openssl x509 -in certificate.crt -text -noout openssl rsa -in privateKey.key -text > private.pem openssl x509 -inform PEM -in certificate.crt > public.pem -
import certificate (2 pem files) to ACM in your region
- add following to ingress yaml and apply it
- add certificate to local keychain (1 crt file) / just type
thisisunsafe - access URL
refer¶
- works for api gateway and alb
- acm-issue-certificates
- aws_signing_helper