Generating a signed certificate involves creating a certificate signing request (CSR).
Create a san.cnf CSR config file:
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = Country Name (2 letter code) stateOrProvinceName = State or Province Name (full name) localityName = Locality Name (eg, city) organizationName = Organization Name (eg, company) commonName = Common Name (e.g. server FQDN or YOUR name) [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = appcenter.example.com DNS.2 = *.appcenter.example.comMake sure the value of DNS.1 is the same as APPCTL_DOMAIN. The value of DNS.2 should be *.APPCTL_DOMAIN.
From your client machine, generate the server.key:
$ openssl req -out server.csr -newkey rsa:2048 -nodes -keyout server.key -config san.cnf
Enter the following CSR details when prompted:
CSR Detail Description Common Name Fully qualified domain name (FQDN) you want to secure with the certificate. For example: appcenter.example.com. Organization Full legal name of your organization, including the corporate identifier. Organization Unit (OU) Your department. For example: Information Technology or Website Security. City or Locality Locality or city where your organization is legally incorporated. Do not abbreviate. Country Official two-letter country code where your organization is legally incorporated. For example: US or CH. State or Province State or province where your organization is legally incorporated. Do not abbreviate.
$ openssl req -out server.csr -newkey rsa:2048 -nodes -keyout server.key -config san.cnf Generating a 2048 bit RSA private key ......................+++ ...............................+++ writing new private key to 'private.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) :AA State or Province Name (full name) :BB Locality Name (eg, city) :CC Organization Name (eg, company) :Example Common Name (e.g. server FQDN or YOUR name) :appcenter.example.comYou are not required to enter a password or passphrase. This optional field is for applying additional security to your key pair.
Provide the server.csr to the certificate authority to get a signed certificate. Make sure that you get the root and intermediate certificates from the certificate authority. The certificate needs to have the following order:
-----BEGIN MY CERTIFICATE----- -----END MY CERTIFICATE----- -----BEGIN INTERMEDIATE CERTIFICATE----- -----END INTERMEDIATE CERTIFICATE----- -----BEGIN ROOT CERTIFICATE----- -----END ROOT CERTIFICATE-----
- Rename the certificate received from certificate authority to tls.crt.
- Rename the server.key generated previously to tls.key.
Make sure the certificates have the right permissions:
$ chmod 400 tls.key
$ chmod 400 tls.crt
Place tls.crt and tls.key in the APPCTL_HOME directory:
$ cp tls.crt $APPCTL_HOME $ cp tls.key $APPCTL_HOME