Ordering an SSL certificate
- Kaegan Mandryk
Certificate renewal
Expires annually in July. Next expiry is July 22, 2022
Steps
General Steps are:
Notification of SSL Certificate Renewal
Generate a Private Key
Generate a Certificate Signing Request (CSR)
Submit a newly created CSR
Configure OpenShift namespace to use SSL cert
Test that the SSL Cert works
SSL and CSR for openshift apps
A step by step guide to getting your SSL configured for an Openshift app in the BC Public Service.
Step 1: Requesting your certificates
You will need to complete the request form
The form is submitted through the iStore by attaching it to a new ticket. https://imbsd.gov.bc.ca/ .
Things to keep in mind while ordering SSL's
SSLs for all urls of the form
*.apps.silver.devops.gov.bc.ca are the responsibility of the platform services team, not the project teams. 2) If your project requires subject alternate names (SANs), the number entered in the form field SANs Quantity, will need to match the number created in your generated CSR in part 2 of this guide. 3) For simple apps a 'Standard SSL' should be fine. 4) More reading on SSL best practices can be found Here.
Step 2: Generate a Certificate Signing Request (CSR)
The iStore will require a CSR to be generated. This can be done using the script:
Generate a certificate signing request (CSR)
An example of a CSR with subject alternative names (SANs): - Rocket Chat (uses 3 SANs)
The alt names allows you to customise the SSL for multiple urls. With openshift this is useful when you want to secure dev, test, and prod namespaces under the same SSL.
This script will generate a CSR (NAME.csr) and a Key (NAME.key). Send the CSR to the iStore when it is requested. Keep the key secret and safe. DO NOT COMMIT THESE TO YOUR REPOS BY ACCIDENT.
Step 3 Install the SSL in openshift.
Once the iStore has sent you your SSL certs, you can install it in Openshift.
a. Create Secret
To avoid storing the certs and private key locally, store your certs in the relevant namespace (probably prod) as a secret. Run the following OC command:
oc -n <<NAMESPACE>> create secret generic <<NAME>>-ssl.<<YEAR>> \
--from-file=private-key=<<NAME>>.key \
--from-file=certificate=<<NAME>>.txt \
--from-file=csr=<<NAME>>.csr \
--from-file=ca-chain-certificate=L1K-for-certs.txt \
--from-file=ca-root-certifcate=L1K-root-for-certs-G2.txt
For http://digital.gov.bc.ca the command is: oc -n c0cce6-prod create secret generic digital.gov.bc.ca-ssl.2022 \ --from-file=private-key=digital.gov.bc.ca.key \ --from-file=certificate=digital.gov.bc.ca.txt \ --from-file=csr=digital.gov.bc.ca.csr \ --from-file=ca-chain-certificate=L1K-for-certs.txt \ --from-file=ca-root-certifcate=L1K-root-for-certs-G2.txt
b. Create (first time only) or Update TLS settings for Front-End Route - External Traffic
For renewal, you can simply update the TLS settings in the UI of the OCP console.
Otherwise, use the following settings:
TLS Termination: Edge
Insecure Traffic: Redirect
| Route field | Created secret | Source file |
|---|---|---|---|
Certificate | certificate | NAME.txt |
|
Private Key | private-key | NAME.key |
|
CA Certificate | ca-chain-certificate | L1K-for-certs.txt |
|
c. Verify SSO (KeyCloak) settings
If your app uses keycloak, make certain that it still works.
Step 4. Confirm with the iStore
Once your SSL has been installed and everything is working confirm with the iStore so they can close the ticket... also say thank you...
SSL Server Test
To test the security for a site, use the following command.
https://www.ssllabs.com/ssltest/analyze.html?d=digital.gov.bc.ca