Custom Object Gateway SSl/TLS Certificate: Difference between revisions
| Line 3: | Line 3: | ||
== S3 Certificate CSR generation and signing using Windows AD/Certificate Authority == | == S3 Certificate CSR generation and signing using Windows AD/Certificate Authority == | ||
=== Prepare Certs Directory === | |||
Start by creating a empty directory to store the certificates to be generated. | Start by creating a empty directory to store the certificates to be generated. | ||
| Line 9: | Line 10: | ||
cd s3_adtest_osnexus_net_crt | cd s3_adtest_osnexus_net_crt | ||
</pre> | </pre> | ||
=== Create OpenSSL Configuration File === | |||
Next create a file named openssl.cnf that contains the proper values for your site, and the '''Subject Alt Names''' you wish to have match FQDN to IP mappings in your DNS. Here's an example openssl configuration file (save as openssl.cnf), you can start with this one and edit the values to match your organization. Be sure to change all the values under '''[ alt_names ]''' and under '''[ req_distinguished_name ]''' to match the settings for your organization : | Next create a file named openssl.cnf that contains the proper values for your site, and the '''Subject Alt Names''' you wish to have match FQDN to IP mappings in your DNS. Here's an example openssl configuration file (save as openssl.cnf), you can start with this one and edit the values to match your organization. Be sure to change all the values under '''[ alt_names ]''' and under '''[ req_distinguished_name ]''' to match the settings for your organization : | ||
| Line 50: | Line 53: | ||
</pre> | </pre> | ||
generate a server key | === Generate Server Key === | ||
This will generate a new server key we'll use to make a CSR from in the next step. | |||
<pre> | <pre> | ||
| Line 56: | Line 61: | ||
</pre> | </pre> | ||
generate a | === Generate Certificate Signing Request (CSR) === | ||
Here we use the server key with the openssl.cnf configuration file to generate a CSR: | |||
<pre> | <pre> | ||
| Line 62: | Line 69: | ||
</pre> | </pre> | ||
review the CSR | === Verify / Validate CSR === | ||
Next review the generated CSR to ensure it accurately contains the correct settings: | |||
<pre> | <pre> | ||
| Line 68: | Line 76: | ||
</pre> | </pre> | ||
=== Submit CSR to Certificate Authority === | |||
for Windows AD/Certificate Authority, install and deploy the | Next take the CSR and submit it to your Certificate Authority. Refer to the Certificate Authorities documentation for signing the CSR and generating a server cert and CA chain. For Windows AD/Certificate Authority, install and deploy the Windows Certificate Authority role with the Certificate Authority web portal options. This should give you a new path to submit CSRs to under http://<AD Server IP>/certsrv | ||
Follow the onscreen prompts on the Windows Active Directory (AD) Certificate Authority page to submit the CSR and request a signed certificate. When the certificate is available for download you can download it in DER format (X. 509 digital certificate encoded in binary) or in Base64 format. If you download it in DER format we can convert it after the fact. | |||
If the .cer file is already in base64 encoded PEM format, you can simply rename it to .pem or proceed to the next step. | |||
=== Converting DER certificates to Base64 pem Format === | |||
This shows how to take a DER formatted file (certnew.p7b) to produce a certificate chain (cert_chain.pem) PEM file and a PRM file from the produced certificate (certnew.cer): | |||
<pre> | <pre> | ||
openssl pkcs7 -print_certs -inform der -in certnew.p7b -out cert_chain.pem | openssl pkcs7 -print_certs -inform der -in certnew.p7b -out cert_chain.pem | ||
openssl x509 -inform der -in certnew.cer -out certnew.pem | openssl x509 -inform der -in certnew.cer -out certnew.pem | ||
</pre> | </pre> | ||
rename the certificate authority chain file to a clearer name | Next we'll rename the certificate authority chain file to a clearer name: | ||
<pre> | <pre> | ||
cp cert_chain.pem adtest_osnexus_net.pem | cp cert_chain.pem adtest_osnexus_net.pem | ||
</pre> | </pre> | ||
Next ensure your private key is now in PEM format, it should look like this in a text editor with BEGIN and END blocks showing the key in Base64 format: | |||
<pre> | <pre> | ||
| Line 99: | Line 107: | ||
</pre> | </pre> | ||
If your private key is in DER format, convert it to PEM using the following command: | |||
<pre> | <pre> | ||
| Line 108: | Line 116: | ||
Replace `derformat.key` with the path to your DER-formatted private key and `s3_adtest_osnexus_net.key` with the desired output filename for the PEM-formatted private key. | Replace `derformat.key` with the path to your DER-formatted private key and `s3_adtest_osnexus_net.key` with the desired output filename for the PEM-formatted private key. | ||
Concatenate the Private Key, Certificate, and Chain | === Concatenate the Private Key, Certificate, and Chain === | ||
You want to have the private key at the beginning of your PEM file followed by your certificate and then the certificate chain. Use the `cat` command to concatenate them in this order: | |||
<pre> | <pre> | ||
Revision as of 21:04, 7 June 2024
When configuring QuantaStor scale-out clusters with an object storage zone it is important to setup a SSL/TLS certification to associate with the S3 gateway (CephRGW) so that clients connecting are able to validate the certificate against either an internal or public certificate authority (CA). This article goes of the procedure for making a SSL certificate for that purpose using OpenSSL along with a series of 'Alt Names' or 'Subject Alt Names' which identifies all the FQDNs for all the ports on all the QuantaStor systems that make up the cluster and any floating cluster wide FQDNs that my be used to access the S3 gateways.
S3 Certificate CSR generation and signing using Windows AD/Certificate Authority
Prepare Certs Directory
Start by creating a empty directory to store the certificates to be generated.
mkdir s3_adtest_osnexus_net_crt cd s3_adtest_osnexus_net_crt
Create OpenSSL Configuration File
Next create a file named openssl.cnf that contains the proper values for your site, and the Subject Alt Names you wish to have match FQDN to IP mappings in your DNS. Here's an example openssl configuration file (save as openssl.cnf), you can start with this one and edit the values to match your organization. Be sure to change all the values under [ alt_names ] and under [ req_distinguished_name ] to match the settings for your organization :
[ req ] default_bits = 2048 prompt = no default_md = sha256 distinguished_name = req_distinguished_name req_extensions = req_ext x509_extensions = v3_req [ req_distinguished_name ] C = US ST = Washington L = Bellevue O = OSNEXUS Development OU = s3 services [ req_ext ] subjectAltName = @alt_names [ v3_req ] subjectAltName = @alt_names [ alt_names ] DNS.1 = s3.adtest.osnexus.net DNS.2 = cg-631f-201.adtest.osnexus.net DNS.3 = cg-631f-202.adtest.osnexus.net DNS.4 = cg-631f-203.adtest.osnexus.net DNS.5 = vif205.adtest.osnexus.net DNS.6 = vif206.adtest.osnexus.net DNS.7 = vif207.adtest.osnexus.net IP.1 = 10.0.12.201 IP.2 = 10.0.12.202 IP.3 = 10.0.12.203 IP.4 = 10.0.12.205 IP.5 = 10.0.12.206 IP.6 = 10.0.12.207
Generate Server Key
This will generate a new server key we'll use to make a CSR from in the next step.
openssl genrsa -out s3_adtest_osnexus_net.key 2048
Generate Certificate Signing Request (CSR)
Here we use the server key with the openssl.cnf configuration file to generate a CSR:
openssl req -new -out s3_adtest_osnexus_net.csr -key s3_adtest_osnexus_net.key -config openssl.cnf
Verify / Validate CSR
Next review the generated CSR to ensure it accurately contains the correct settings:
openssl req -in s3_adtest_osnexus_net.csr -noout -text
Submit CSR to Certificate Authority
Next take the CSR and submit it to your Certificate Authority. Refer to the Certificate Authorities documentation for signing the CSR and generating a server cert and CA chain. For Windows AD/Certificate Authority, install and deploy the Windows Certificate Authority role with the Certificate Authority web portal options. This should give you a new path to submit CSRs to under http://<AD Server IP>/certsrv
Follow the onscreen prompts on the Windows Active Directory (AD) Certificate Authority page to submit the CSR and request a signed certificate. When the certificate is available for download you can download it in DER format (X. 509 digital certificate encoded in binary) or in Base64 format. If you download it in DER format we can convert it after the fact.
If the .cer file is already in base64 encoded PEM format, you can simply rename it to .pem or proceed to the next step.
Converting DER certificates to Base64 pem Format
This shows how to take a DER formatted file (certnew.p7b) to produce a certificate chain (cert_chain.pem) PEM file and a PRM file from the produced certificate (certnew.cer):
openssl pkcs7 -print_certs -inform der -in certnew.p7b -out cert_chain.pem openssl x509 -inform der -in certnew.cer -out certnew.pem
Next we'll rename the certificate authority chain file to a clearer name:
cp cert_chain.pem adtest_osnexus_net.pem
Next ensure your private key is now in PEM format, it should look like this in a text editor with BEGIN and END blocks showing the key in Base64 format:
-----BEGIN PRIVATE KEY----- (Your private key here) -----END PRIVATE KEY-----
If your private key is in DER format, convert it to PEM using the following command:
openssl rsa -inform DER -outform PEM -in derformat.key -out s3_adtest_osnexus_net.key
Replace `derformat.key` with the path to your DER-formatted private key and `s3_adtest_osnexus_net.key` with the desired output filename for the PEM-formatted private key.
Concatenate the Private Key, Certificate, and Chain
You want to have the private key at the beginning of your PEM file followed by your certificate and then the certificate chain. Use the `cat` command to concatenate them in this order:
cat s3_adtest_osnexus_net.key certnew.pem cert_chain.pem > s3_adtest_osnexus_net.pem
Replace `myprivatekey.pem` with your private key file, `certnew.pem` with your certificate file, and `cert_chain.pem` with your certificate chain file. The combined file `combined_with_key.pem` will contain all three components.
Verify the Contents: You can check the contents of the final PEM file to ensure all parts are included correctly:
openssl x509 -in s3_adtest_osnexus_net.pem -text -noout
This command will display the certificate details. You won't be able to view the private key this way (and you shouldn't be able to), but you can open the PEM file in a text editor to ensure the private key and certificates are present.
either create your s3 gateways with the new s3_adtest_osnexus_net.pem pem file, or copy the files to replace the existing certificates under /etc/ceph/ceph_<HOSTNAME>_radosgw.pem and restart the radosgw services with systemctl restart ceph-radosgw@*.service
on the client insert the CA's cert chain file if not already present.
for an ubuntu 20.04 system you can do it using the below:
cp adtest_osnexus_net.pem /usr/local/share/ca-certificates/ update-ca-certificates
Note, you may need to break the cert file up into seperate files depending on the length of the cert chain.
test the certificate from a client and verify it via openssl to ensure no errors/issues
curl https://<FQDN of server>:<port> echo -n | openssl s_client -showcerts -connect <FQDN of server>:<port>