Custom Object Gateway SSl/TLS Certificate: Difference between revisions

When configuring QuantaStor scale-out clusters with an object storage zone it is important to setup a SSL/TLS certification to associate with the S3 gateway (CephRGW) so that clients connecting are able to validate the certificate against either an internal or public certificate authority (CA). This article goes of the procedure for making a SSL certificate for that purpose using OpenSSL along with a series of 'Alt Names' or 'Subject Alt Names' which identifies all the FQDNs for all the ports on all the QuantaStor systems that make up the cluster and any floating cluster wide FQDNs that my be used to access the S3 gateways.

S3 Certificate CSR generation and signing using Windows AD/Certificate Authority

Start by creating a empty directory to store the certificates to be generated.

mkdir s3_adtest_osnexus_net_crt
cd s3_adtest_osnexus_net_crt

Next create a file named openssl.cnf that contains the proper values for your site, and the Subject Alt Names you wish to have match FQDN to IP mappings in your DNS.

conf file contents example
[ req ]
default_bits       = 2048
prompt             = no
default_md         = sha256
distinguished_name = req_distinguished_name
req_extensions     = req_ext
x509_extensions    = v3_req

[ req_distinguished_name ]
C  = US
ST = Washington
L  = Bellevue
O  = OSNEXUS Development
OU = s3 services

[ req_ext ]
subjectAltName = @alt_names

[ v3_req ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1   = s3.adtest.osnexus.net
DNS.2   = cg-631f-201.adtest.osnexus.net
DNS.3   = cg-631f-202.adtest.osnexus.net
DNS.4   = cg-631f-203.adtest.osnexus.net
DNS.5   = vif205.adtest.osnexus.net
DNS.6   = vif206.adtest.osnexus.net
DNS.7   = vif207.adtest.osnexus.net
IP.1    = 10.0.12.201
IP.2    = 10.0.12.202
IP.3    = 10.0.12.203
IP.4    = 10.0.12.205
IP.5    = 10.0.12.206
IP.6    = 10.0.12.207

generate a server key

openssl genrsa -out s3_adtest_osnexus_net.key 2048

generate a csr based on the config file using the key

openssl req -new -out s3_adtest_osnexus_net.csr -key s3_adtest_osnexus_net.key -config openssl.cnf

review the CSR to ensure it contians the settings you want:

openssl req -in s3_adtest_osnexus_net.csr -noout -text

take the csr and submit it to the Certificate Authority. refer to the Certificate Authorities documentation for signing the csr and generating a server cert and CA chain.

for Windows AD/Certificate Authority, install and deploy the WIndows Certificate Authority role with the Certificate Authority web portal options. This should give you a new path to submit csrs to under http://<AD Server IP>/certsrv

follow the onscreen prompts on the Windows AD Certificate AUthority page to submit the csr and request a signed certificate.

when the certificate is available for download you can download it in der format or base64. if you downlaod as der we can convert it after the fact.

If the .cer file is already in base64 encoded PEM format, you can simply rename it to .pem or proceed to the next step.

converting der certificates to base64 pem format

openssl pkcs7 -print_certs -inform der -in certnew.p7b -out cert_chain.pem

openssl x509 -inform der -in certnew.cer -out certnew.pem

rename the certificate authority chain file to a clearer name

cp cert_chain.pem adtest_osnexus_net.pem

Ensure Your Private Key is in PEM Format: First, make sure your private key is in PEM format. It should look like this in a text editor:

   -----BEGIN PRIVATE KEY-----
   (Your private key here)
   -----END PRIVATE KEY-----
   

  If your private key is in DER format, convert it to PEM using the following command:

   openssl rsa -inform DER -outform PEM -in derformat.key -out s3_adtest_osnexus_net.key
   

  Replace `derformat.key` with the path to your DER-formatted private key and `s3_adtest_osnexus_net.key` with the desired output filename for the PEM-formatted private key.

Concatenate the Private Key, Certificate, and Chain: You want to have the private key at the beginning of your PEM file followed by your certificate and then the certificate chain. Use the `cat` command to concatenate them in this order:

   cat s3_adtest_osnexus_net.key certnew.pem cert_chain.pem > s3_adtest_osnexus_net.pem
   

  Replace `myprivatekey.pem` with your private key file, `certnew.pem` with your certificate file, and `cert_chain.pem` with your certificate chain file. The combined file `combined_with_key.pem` will contain all three components.

Verify the Contents: You can check the contents of the final PEM file to ensure all parts are included correctly:

   openssl x509 -in s3_adtest_osnexus_net.pem -text -noout
   

  This command will display the certificate details. You won't be able to view the private key this way (and you shouldn't be able to), but you can open the PEM file in a text editor to ensure the private key and certificates are present.

either create your s3 gateways with the new s3_adtest_osnexus_net.pem pem file, or copy the files to replace the existing certificates under /etc/ceph/ceph_<HOSTNAME>_radosgw.pem and restart the radosgw services with systemctl restart ceph-radosgw@*.service

on the client insert the CA's cert chain file if not already present.

for an ubuntu 20.04 system you can do it using the below:

cp adtest_osnexus_net.pem /usr/local/share/ca-certificates/
update-ca-certificates

Note, you may need to break the cert file up into seperate files depending on the length of the cert chain.

test the certificate from a client and verify it via openssl to ensure no errors/issues

curl https://<FQDN of server>:<port>

echo -n | openssl s_client -showcerts -connect <FQDN of server>:<port>