To generate custom TLS certificates for NSP
Purpose
This procedure applies to NSP.
Perform this procedure to generate a set of TLS key and certificate files to provide as security artifacts in an NSP deployment.
The locations of the custom TLS files that the procedure generates are the required inputs to the ‘nspdeployerctl secret’ prompts when you create or update the custom TLS secret, as shown below:
where
customKey is the location of the private server key file in Step 3
customCert is the location of one of the following:
customCaCert is the location of CA.pem key file obtained in Step 5
You can apply NSP certificates when:
See appropriate procedures in this guide and “NSP TLS administration overview” in the NSP System Administrator Guide for more information.
Steps
Note: The Bash shell is the supported command shell for RHEL CLI operations.
Note: A leading # character in a command line represents the root user prompt, and is not to be included in a typed command.
1 |
Log in as the root user on the station. |
2 |
Open a console window. |
3 |
Generate the private key. # openssl genrsa -out private_server_key 2048 ↵ where private_server_key is the name of the private TLS key to generate. |
4 |
Generate a certificate signing request, or CSR. # openssl req -new -key private_server_key -out CSR_file -config ssl.conf ↵ where private_server_key is the private TLS key generated in Step 3 CSR_file is the name of the CSR file to generate ssl.conf should have the following: [ req ] default_bits = 2048 prompt = no distinguished_name = dn req_extensions = req_ext
[ dn ] CN = common_name OU = org_unit O = organization L = locality ST = province or state C = country
[ req_ext ] basicConstraints = CA:false keyUsage = digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = @alt_names
[ alt_names ] DNS.1 = DNS_1 DNS.2 = DNS_2
IP.1 = IP_1 IP.2 = IP_2
Note: SAN entries for the certificate are in the alt-names field of ssl.conf. Note: A custom certificate is unique to an NSP cluster; in a DR deployment, each cluster requires a unique, cluster-specific SAN entry. Note: In an NSP deployment that includes NFM-P, uses separate client and internal interfaces, and has the Kafka internal mTLS parameter disabled in nsp-config.yml, the NSP TLS certificate SAN field must also include the internal advertised address of the NSP cluster. In the nsp-config.yml file on the local NSP deployer host:
If NSP and NFM-P use separate client and internal interfaces and the Kafka internal mTLS parameter is enabled, the NSP TLS certificate SAN field does not require the internal advertised address of NSP cluster. |
5 |
Send the CSR file to a CA for authentication. The CA returns the following certificate files that contain a trusted root certificate in a hierarchical certificate chain. Note: The TLS certificate file type needs to be PEM certificate (base64 format) to integrate with NSP. Ensure that certificate files are converted to PEM format as needed. |
6 |
If you are using an intermediate CA, enter the following to generate the chained server .pem file: # cat server.pem ca-chained.pem > server-chained.pem ↵ Note: The certificate order is important; the server certificate must be first in the chain of certificates in the file in order for the NSP installer to read the certificates correctly. |
7 |
If the secret nginx-nb-tls-nsp exists, delete the secret first: # ./nspdeployerctl secret -n nsp-psa-restricted -s nginx-nb-tls-nsp delete ↵ |
8 |
Enter the following to install the secret: # ./nspdeployerctl secret -s nginx-nb-tls-nsp install ↵ Follow the prompts to install the generated TLS certificates. In a DR deployment, enter the command on the primary and secondary clusters to install the generated TLS certificates and other cluster TLS files. |
9 |
Close the console window. |
10 |
If your deployment includes NFM-P, perform To generate and apply NFMP TLS certificates using keystore and truststore files. End of steps |