Creating and Validating the Route 53 Certificate

A user-provided self-signed or CA-signed certificate is required for creating the Application Load Balancer (ALB). In this section, you will:

  1. Create or update Route 53 certificates:

    1. Run the applicable command on a secure machine to generate the Route 53 certificate:

      • For a current version of SSL, run this command:

        openssl req -nodes -newkey rsa:2048 -keyout <your.route53dnsRecordsetName>.key.pem -out <your.route53dnsRecordsetName>.csr.pem -subj "/C=US/ST=State/L=City/O=Company Inc./OU=IT/CN=<your.route53dnsRecordsetName>" -addext "subjectAltName = DNS:<your.route53dnsRecordsetName>"
      • If your operating system does not support -addext for SSL, run this command:

        openssl req -newkey rsa:2048 -sha256 -nodes -keyout your.route53dnsRecodsetName.key.pem -out your.route53dnsRecodsetName.csr.pem -subj "/C=US/ST=CA/L=SU/O=MF/OU=IT/CN=<your.route53dnsRecordsetName>" -extensions san -config <(echo '[req]'; echo 'distinguished_name=req';echo 'req_extensions=san';echo '[san]'; echo 'subjectAltName=DNS:your.route53dnsRecodsetName')
      your.route53dnsRecordsetName is your route53 record set name tracked in your AWS configuration worksheet. This command will create the private key file <your.route53dnsRecordsetName>.key.pem and the certificate signing request file <your.route53dnsRecordsetName>.csr.pem.
    2. Copy the certificate signing request <your.route53dnsRecordsetName>.csr.pem to your bastion or jump host machine.

    3. Run the following commands to sign the certificate signing request using your cluster RE certificate:

      export COMMON_NAME=<your.route53dnsRecordsetName>
      export VAULT_POD=$(kubectl get pods -n core -o custom-columns=":metadata.name"| grep itom-vault)
      export PASSPHRASE=$(kubectl get secret vault-passphrase -n core -o json 2>/dev/null | jq -r '.data.passphrase')
      export ENCRYPTED_ROOT_TOKEN=$(kubectl get secret vault-credential -n core -o json 2>/dev/null | jq -r '.data."root.token"')
      export VAULT_TOKEN=$(echo ${ENCRYPTED_ROOT_TOKEN} | openssl aes-256-cbc -md sha256 -a -d -pass pass:"${PASSPHRASE}")
      export CSR=$(cat ${COMMON_NAME}.csr.pem)
      
      export WRITE_RESPONSE=$(kubectl exec -it -n core ${VAULT_POD} -c vault -- bash -c "VAULT_TOKEN=$VAULT_TOKEN vault write -tls-skip-verify -format=json RE/sign/coretech csr=\"${CSR}\"") && \
      echo ${WRITE_RESPONSE} | jq -r ".data | .certificate" > ${COMMON_NAME}.signed.crt.pem && \
      echo ${WRITE_RESPONSE} | jq -r ".data | if .ca_chain then .ca_chain[] else .issuing_ca end" > ${COMMON_NAME}.ca_chain.pem
      The RE signed certificate is in file ${COMMON_NAME}.signed.crt.pem. The certificate chain is in file ${COMMON_NAME}.ca_chain.pem.
  2. Import or update the certificate in Amazon Certificate Manager (ACM).

    1. Import the self-signed certificate into ACM (for a fresh installation):

      1. Log in to the AWS Console.

      2. Browse to the Amazon Certificate Manager (ACM).

      3. Click Import a certificate, and then complete the fields as follows:

        • Certificate body: Specify the contents of the signed certificate you created earlier. For example, <your.route53dnsRecordsetName>.crt.pem

        • Certificate private key: Specify the contents of the private key created by the CSR request creation. For example, <your.route53dnsRecordsetName>.key.pem

        • Certificate chain: Specify the contents of the chain file. For example, <your.route53dnsRecordsetName>.ca.pem

    2. To update the certificate in ACM (for a current running installation):

      1. Log in to the AWS Console.

      2. Browse to the Amazon Certificate Manager (ACM).

      3. Search for your certificate Domain name or ID.

      4. Select your Certificate ID, and click Reimport.

      5. Complete the fields as follows:

        • Certificate body: Specify the contents of the new signed certificate you created earlier. For example, <your.route53dnsRecordsetName>.crt.pem

        • Certificate private key: Specify the new contents of the private key created by the CSR request creation. For example, <your.route53dnsRecordsetName>.key.pem

        • Certificate chain: Specify the new contents of the chain file. For example, <your.route53dnsRecordsetName>.ca.pem

    For more details, see https://docs.aws.amazon.com/acm/latest/userguide/import-reimport.html

  3. Click Next. Optionally, add any tags you wish to the import.

  4. Click Next, and then, click Import.

    After the import, click the arrow next to the certificate ARN value. Note the value to your AWS worksheet for later use. For example:

Next Step: Configuring the Application Load Balancer (ALB)