Creating a Certificate

Creating a Certificate to Use in Data Protection

To enable the operation, it is necessary to create a certificate either by Windows/Linux/Mac and share it among all the replicas of the microservice. This sharing will ensure that a request that is being processed through one instance can continue on the other.

Creating the certificate in windows

To create the certificate we will use the local folder (c:\temp\ssl) and the Windows Terminal / PowerShell tool that must be initialized in administrator mode before executing the commands below.

  1. Run the powershell command to create a new certificate
New-SelfSignedCertificate -Type Custom -Subject "CN=TokenSigningForDataProtection" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3") -KeyUsage DigitalSignature -KeyAlgorithm RSA  -KeyLength 2048 -CertStoreLocation "Cert:\LocalMachine\My"

The result is something like this:

1
2
3

Thumbprint                                Subject
----------                                -------
5C9A0067427FEE4E66D33761D04BC7F36064DA87  CN=TokenSigningForDataProtection
  1. Copy the Thumbprint value and use it in the Thumbprint field and then set a new password for use in the Password field.

$cert = (Get-ChildItem -Path cert:\LocalMachine\My<Thumbprint>)
$mypwd = ConvertTo-SecureString -String “” -Force -AsPlainText

The password provided above will be used to configure the certificate in the Cluster.

Example:

$cert = (Get-ChildItem -Path cert:\LocalMachine\My\5C9A0067427FEE4E66D33761D04BC7F36064DA87)
$mypwd = ConvertTo-SecureString -String "@mypaswrodk76" -Force -AsPlainText
  1. Run the command below using the same Thumbprint as before
    Get-ChildItem -Path cert:\localMachine\my<Thumbprint> | Export-PfxCertificate -FilePath C:\temp\ssl\certificate.pfx -Password $mypwd

Example:

Get-ChildItem -Path cert:\localMachine\my\5C9A0067427FEE4E66D33761D04BC7F36064DA87 | Export-PfxCertificate -FilePath C:\temp\ssl\certificate.pfx -Password $mypwd

After running this command you will have a new SSL file in the C:\temp\ssl folder and it can be copied
to a shared storage in the Kubernetes cluster.

  1. Verifying the validity of the previously created certificate
    a) Install the package manager https://chocolatey.org
    b) Open a prompt as an administrator and install OpenSSL
    Choco Install OpenSSL
    c) Close windows terminal and then open it again
    d) Enter the folder where you generated the certificate (C:\temp\ssl)
    openssl pkcs12 -clcerts -nodes -in .\certificate.pfx | openssl x509 -noout -enddate
    e) Enter the password of the certificate and you will see the validity of the certificate

Next steps:
a) Create a Storage in the Cluster
b) Modify the POD deployment by mounting the volume
c) Copy the certificate to Storage
d) Modify the Devprime Security configuration to inform the path of the certificate in the cluster.

To learn more:

Last modified January 10, 2024 (967dcac3)