Open in app

Sign in

Write

Sign in

Custom Certs in API Connect 2018

Chris Phillips
2 min readNov 16, 2018

When generating your own certificates for use with API connect you need to ensure the x509 extension options are correctly set.

Adrian Osadcenco, Chris Twomey and Michael O’Sullivan put together this script which i have been using. The script generates all the required certificates that can then be used during the configuration.

This script below was used for appliances (OVAs) and so all of the management endpoints are set to to the same address

#!/bin/bash#Global variables
MGMT=management-appliance.ibm.com
ANALYTISCLIENT=analytics-client-appliance.ibm.com
ANALYTICSINGESTION=analytics-ingestion-appliance.ibm.com
PORTAL_ADMIN=portal-admin-appliance.ibm.com
PORTALURL=portal-appliance.ibm.com# Root Key
openssl genrsa -out rootCA.key 4096
# Root CA
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt -subj "/C=IE/ST=Cork/O=cloud, Inc./CN=gdsgdfgdf"#variables
VAR_SUBJ[1]="/C=IE/ST=Cork/O=cloud, Inc./CN=${MGMT}"
VAR_KEY[1]=platform-api
VAR_EXT[1]="\n[SAN]\nsubjectAltName=DNS:${MGMT},DNS:${MGMT}\nextendedKeyUsage=serverAuth"VAR_SUBJ[2]="/C=IE/ST=Cork/O=cloud, Inc./CN=${MGMT}"
VAR_KEY[2]=consumer-api
VAR_EXT[2]="\n[SAN]\nsubjectAltName=DNS:${MGMT},DNS:${MGMT}\nextendedKeyUsage=serverAuth"VAR_SUBJ[3]="/C=IE/ST=Cork/O=cloud, Inc./CN=${MGMT}"
VAR_KEY[3]=api-manager-ui
VAR_EXT[3]="\n[SAN]\nsubjectAltName=DNS:${MGMT},DNS:${MGMT}\nextendedKeyUsage=serverAuth"VAR_SUBJ[4]="/C=IE/ST=Cork/O=cloud, Inc./CN=${MGMT}"
VAR_KEY[4]=cloud-admin-ui
VAR_EXT[4]="\n[SAN]\nsubjectAltName=DNS:${MGMT},DNS:${MGMT}\nextendedKeyUsage=serverAuth"VAR_SUBJ[5]="/C=IE/ST=Cork/O=cloud, Inc./CN=${PORTAL_ADMIN}"
VAR_KEY[5]=portal-admin-ingress
VAR_EXT[5]="\n[SAN]\nsubjectAltName=DNS:${PORTAL_ADMIN},DNS:${PORTAL_ADMIN}\nextendedKeyUsage=serverAuth"VAR_SUBJ[6]="/C=IE/ST=Cork/O=cloud, Inc./CN=${PORTALURL}"
VAR_KEY[6]=portal-www-ingress
VAR_EXT[6]="\n[SAN]\nsubjectAltName=DNS:${PORTALURL},DNS:${PORTALURL}\nextendedKeyUsage=serverAuth"VAR_SUBJ[7]="/C=IE/ST=Cork/O=cloud, Inc./CN=${ANALYTISCLIENT}"
VAR_KEY[7]=analytics-client-ingress
VAR_EXT[7]="\n[SAN]\nsubjectAltName=DNS:${ANALYTISCLIENT},DNS:${ANALYTISCLIENT}\nextendedKeyUsage=serverAuth"VAR_SUBJ[8]="/C=IE/ST=Cork/O=cloud, Inc./CN=${ANALYTICSINGESTION}"
VAR_KEY[8]=analytics-ingestion-ingress
VAR_EXT[8]="\n[SAN]\nsubjectAltName=DNS:${ANALYTICSINGESTION},DNS:${ANALYTICSINGESTION}\nextendedKeyUsage=serverAuth"VAR_SUBJ[9]="/C=IE/ST=Cork/O=cloud, Inc./CN=portal-client"
VAR_KEY[9]=portal-client
VAR_EXT[9]="\n[SAN]\nkeyUsage=critical, digitalSignature, keyEncipherment\nextendedKeyUsage = clientAuth\nbasicConstraints=critical, CA:FALSE\nsubjectKeyIdentifier=hash\n"VAR_SUBJ[10]="/C=IE/ST=Cork/O=cloud, Inc./CN=analytics-ingestion-client"
VAR_KEY[10]=analytics-ingestion-client
VAR_EXT[10]="\n[SAN]\nkeyUsage=critical, digitalSignature, keyEncipherment\nextendedKeyUsage = clientAuth\nbasicConstraints=critical, CA:FALSE\nsubjectKeyIdentifier=hash\n"VAR_SUBJ[11]="/C=IE/ST=Cork/O=cloud, Inc./CN=analytics-client-client"
VAR_KEY[11]=analytics-client-client
VAR_EXT[11]="\n[SAN]\nkeyUsage=critical, digitalSignature, keyEncipherment\nextendedKeyUsage = clientAuth\nbasicConstraints=critical, CA:FALSE\nsubjectKeyIdentifier=hash\n"# VAR_SUBJ[9]="/C=IE/ST=Cork/O=cloud, Inc./CN=gw.192.168.151.22.nip.io"
# VAR_KEY[9]=api-gateway-ingress
# VAR_EXT[9]="\nsubjectAltName=DNS:gw.192.168.151.22.nip.io,DNS:gw.192.168.151.22.nip.io\nextendedKeyUsage=serverAuth"
#
# VAR_SUBJ[10]="/C=IE/ST=Cork/O=cloud, Inc./CN=gwd.192.168.151.22.nip.io"
# VAR_KEY[10]=api-gateway-service-ingress
# VAR_EXT[10]="\nsubjectAltName=DNS:gwd.192.168.151.22.nip.io,DNS:gwd.192.168.151.22.nip.io\nextendedKeyUsage=serverAuth"
#maini=1
while [ $i -le ${#VAR_KEY[@]} ]; do
  echo --  ${VAR_KEY[${i}]} --
  echo --  ${VAR_SUBJ[${i}]} --
  echo --  ${VAR_EXT[${i}]} --
  openssl genrsa -out ${VAR_KEY[${i}]}.key 2048
  if [ $? != 0 ] ; then exit 1 ; fi
  # openssl req -new -sha256 -key ${VAR_KEY[${i}]}.key -subj ${VAR_SUBJ[${i}]} -out ${VAR_KEY[${i}]}.csr
  openssl req -new -sha256 -key ${VAR_KEY[${i}]}.key -subj "${VAR_SUBJ[${i}]}" -out ${VAR_KEY[${i}]}.csr
  if [ $? != 0 ] ; then exit 1 ; fi
   openssl x509 -req -in ${VAR_KEY[${i}]}.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out ${VAR_KEY[${i}]}.crt -days 500 -sha256 -extfile <(cat /etc/ssl/openssl.cnf <(printf "${VAR_EXT[${i}]}")) -extensions SAN
  if [ $? != 0 ] ; then exit 1 ; fi
  let i+=1
done
Security
Api Connect
V2018
Ssl
Certificate

--

--

Chris Phillips

Written by Chris Phillips

108 Followers

Pink Teddy gets sent to help his owner's Daddy. All opinions are of Chris Phillips, IBM Master Inventor, API SME, Governance SME for IBM Cloud Services

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams