2. Create Certificates
Install Cert Manager
All NLX components within an organization communicate with each other using internal TLS certificates. These certificates can be managed automatically with the help of cert-manager.
Install cert-manager on the cluster with:
helm repo add jetstack https://charts.jetstack.io
helm repo update
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.4.0/cert-manager.crds.yaml
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.4.0
Create CA Issuer
Now we create a CA Issuer for NLX.
Create private key
Create the private key with:
openssl genrsa -out ca.key 2048
Check if ca.key
is created by running:
ls
Create Certificate
For Linux:
openssl req -x509 -new -nodes -key ca.key -subj "/CN=NLX" -days 3650 -reqexts v3_req -extensions v3_ca -out ca.crt
For macOS (Intel based):
openssl req -x509 -new -nodes -key ca.key -subj "/CN=NLX" -days 3650 -reqexts v3_req -extensions v3_ca -out ca.crt -config /usr/local/etc/openssl@1.1/openssl.cnf
For macOS (arm based, eg. M1):
/opt/homebrew/Cellar/openssl@1.1/1.1.1p/bin/openssl req -x509 -new -nodes -key ca.key -subj "/CN=NLX" -days 3650 -reqexts v3_req -extensions v3_ca -out ca.crt
Check if ca.crt
is created by running:
ls
Create the secret
Let's create the Kubeternetes TLS secret now:
kubectl create secret tls internal-ca \
--cert=ca.crt \
--key=ca.key \
--namespace=nlx
We now install the internal-issuer on the cluster:
kubectl apply -f internal-issuer.yaml
Then see if the internal Issuer is done by running:
kubectl get issuer --namespace nlx
The expected result:
NAME READY AGE
internal True ??
Create the external certificate
Traffic between organizations takes place via an external certificate. For the NLX demo environment, you can easily create a certificate via the init-organization-certs.sh
script. Download this script and place it in your current work directory
For macOS & Linux:
docker run --rm -it -v $(pwd):/workdir -w /workdir --entrypoint /bin/bash cfssl/cfssl:v1.6.4 ./init-organization-certs.sh
For Windows:
docker run --rm -it -v %cd%:/workdir -w /workdir --entrypoint /bin/bash cfssl/cfssl:v1.6.4 ./init-organization-certs.sh
See OpenSSL questions to know what to fill in the OpenSSL questions asked by the script.
OpenSSL questions
Answer the questions accordingly:
- Country Name, enter any value
- State, enter any value
- Locality Name, enter any value
- Organization Name, please enter a URL-friendly value with a maximum length of 100 characters.
A good value could be:
my-organization
. - Organization Unit Name, enter any value
- Common name, this should correspond to the Fully Qualified Domain Name (FQDN) of your Inway,
we will use
my-organization.nl
for this guide. For an Outway this FQDN does not have to be resolvable. It is possible to use the Inway certificate for the Outway and NLX Management. - Email Address, enter any value
- Organization Serial Number (optional), enter a serial number with a maximum length of 20 characters. Also make sure this value is unique for the network in the directory overview as we do not check for uniqueness.
- A challenge password, leave empty
Then create a Kubernetes TLS secret by running:
kubectl create secret tls external-tls \
--cert=certs/org.crt \
--key=certs/org.key \
--namespace=nlx
Your certificate now exists as secret in Kubernetes. We will use this secret when we install NLX management and the NLX inway.
Obtaining your Subject Serial Number
The Subject Serial Number of your certificate, added by the Certificate Portal, is the primary identifier of your organization within NLX.
To obtain your serial number, see the Subject part of the certificate by running:
openssl x509 -in certs/org.crt -text | grep Subject:
Example of the output: Subject: C=nl, ST=zuid-holland, L=gemeente-stijns, O=my-organization, OU=my-organization-unit, CN=an-awesome-organization.nl/serialNumber=01234567890123456789
.
The value after serialNumber=
in the Subject's CN field is the Subject Serial Number. Save this, because it will later be used to access your own APIs when using the Outway.
For details about this, see the organization identification page.