Skip to main content

2. Create Certificates

Install Cert Manager

All NLX components within an organization communicate with each other using internal TLS certificates. These certificates can be managed automatically with the help of cert-manager.

Install cert-manager on the cluster with:

helm repo add jetstack https://charts.jetstack.io
helm repo update

kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.4.0/cert-manager.crds.yaml

helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.4.0

Create CA Issuer

Now we create a CA Issuer for NLX.

Create private key

Create the private key with:

openssl genrsa -out ca.key 2048

Check if ca.key is created by running:

ls

Create Certificate

For Linux:

openssl req -x509 -new -nodes -key ca.key -subj "/CN=NLX" -days 3650 -reqexts v3_req -extensions v3_ca -out ca.crt

For macOS (Intel based):

openssl req -x509 -new -nodes -key ca.key -subj "/CN=NLX" -days 3650 -reqexts v3_req -extensions v3_ca -out ca.crt -config /usr/local/etc/openssl@1.1/openssl.cnf

For macOS (arm based, eg. M1):

/opt/homebrew/Cellar/openssl@1.1/1.1.1p/bin/openssl req -x509 -new -nodes -key ca.key -subj "/CN=NLX" -days 3650 -reqexts v3_req -extensions v3_ca -out ca.crt

Check if ca.crt is created by running:

ls

Create the secret

Let's create the Kubeternetes TLS secret now:

kubectl create secret tls internal-ca \
   --cert=ca.crt \
   --key=ca.key \
   --namespace=nlx

We now install the internal-issuer on the cluster:

kubectl apply -f internal-issuer.yaml

Then see if the internal Issuer is done by running:

kubectl get issuer --namespace nlx

The expected result:

NAME       READY   AGE
internal   True    ??

Create the external certificate

Traffic between organizations takes place via an external certificate. For the NLX demo environment, you can easily create a certificate via the init-organization-certs.sh script. Download this script and place it in your current work directory

For macOS & Linux:

docker run --rm -it -v $(pwd):/workdir -w /workdir --entrypoint /bin/bash cfssl/cfssl:v1.6.4 ./init-organization-certs.sh

For Windows:

docker run --rm -it -v %cd%:/workdir -w /workdir --entrypoint /bin/bash cfssl/cfssl:v1.6.4 ./init-organization-certs.sh

See OpenSSL questions to know what to fill in the OpenSSL questions asked by the script.

OpenSSL questions

Answer the questions accordingly:

  • Country Name, enter any value
  • State, enter any value
  • Locality Name, enter any value
  • Organization Name, please enter a URL-friendly value with a maximum length of 100 characters. A good value could be: my-organization.
  • Organization Unit Name, enter any value
  • Common name, this should correspond to the Fully Qualified Domain Name (FQDN) of your Inway, we will use my-organization.nl for this guide. For an Outway this FQDN does not have to be resolvable. It is possible to use the Inway certificate for the Outway and NLX Management.
  • Email Address, enter any value
  • Organization Serial Number (optional), enter a serial number with a maximum length of 20 characters. Also make sure this value is unique for the network in the directory overview as we do not check for uniqueness.
  • A challenge password, leave empty

Then create a Kubernetes TLS secret by running:

kubectl create secret tls external-tls \
   --cert=certs/org.crt \
   --key=certs/org.key \
   --namespace=nlx

Your certificate now exists as secret in Kubernetes. We will use this secret when we install NLX management and the NLX inway.

Obtaining your Subject Serial Number

The Subject Serial Number of your certificate, added by the Certificate Portal, is the primary identifier of your organization within NLX.

To obtain your serial number, see the Subject part of the certificate by running:

openssl x509 -in certs/org.crt -text | grep Subject:

Example of the output: Subject: C=nl, ST=zuid-holland, L=gemeente-stijns, O=my-organization, OU=my-organization-unit, CN=an-awesome-organization.nl/serialNumber=01234567890123456789.

The value after serialNumber= in the Subject's CN field is the Subject Serial Number. Save this, because it will later be used to access your own APIs when using the Outway.

For details about this, see the organization identification page.