root_user
Cadet
Cadet
  • 7,598 Views

Create Self-Signed cert for an App - EX280 question

Jump to solution

I had a question on an EX280 exam that requested to set a self-signed certificate for an app, specifying only the 'subj' field for the cert. No CA cert, no CA key was given. For this I presume it was asking to create a passthrough route. 

How to resolve this? Only thing I can imagine is extracting some internal OpenShift CA and Key to subsequently sign via 'openssl x509' command but don't know how (if possible) to do this. 

 

Any thoughts? 

Labels (1)
1 Solution

Accepted Solutions
jordisola
Flight Engineer
Flight Engineer
  • 6,478 Views

Hi

First, I am not related to that exam, so I might be wrong.

Second, you said you are asked to use a self-signed certificate for an app. By definition, self-signed certificates do not need any CA, but are signed by their own key. 

If you are requested to create a passthrough route, you need to create the certificate on your own (using OpenSSL or any other means) and add it to your application. The application will be responsible for all TSL communications, and the route will do nothing but redirect traffic.

If possible, I would simply use an edge route. The communications outside the cluster will be TSL encrypted, but your application would need not worry about security concerns. Anyway, it depends a lot on the question, so not sure it is the right approach.

Hope that helps.

Jordi Sola

 

View solution in original post

10 Replies
jordisola
Flight Engineer
Flight Engineer
  • 6,479 Views

Hi

First, I am not related to that exam, so I might be wrong.

Second, you said you are asked to use a self-signed certificate for an app. By definition, self-signed certificates do not need any CA, but are signed by their own key. 

If you are requested to create a passthrough route, you need to create the certificate on your own (using OpenSSL or any other means) and add it to your application. The application will be responsible for all TSL communications, and the route will do nothing but redirect traffic.

If possible, I would simply use an edge route. The communications outside the cluster will be TSL encrypted, but your application would need not worry about security concerns. Anyway, it depends a lot on the question, so not sure it is the right approach.

Hope that helps.

Jordi Sola

 

root_user
Cadet
Cadet
  • 6,435 Views

Thank you Jordi for the reply. 

I didn't realize I can actually sign my own certificate without a CA (obviously!!!). This is due to the all exercises on DO280 course uses some sort of CA certs to sign it, so I didn't pay attention it was not strictly necessary. 

The aforementioned question on the exam didn't specify any method to create this encryption (edge or passthrough) but I am presuming it has to be passthrough because it is asking me to generate a cert for the application. When we create an 'edge' route, Openshift will create it by itself (signing it using the CA certs in the 'router-ca' secret, present in 'openshift-ingress-operator' namespace) so we don't actually have to do anything specific in relation to this cert. 

Thanks for your help!

Zee
Flight Engineer Flight Engineer
Flight Engineer
  • 6,400 Views

Hello,

Am afraid, we should not discuss exam content in this list.

Not everyone here is an examiner.

Z.

flozano
Moderator
Moderator
  • 6,276 Views

JFYI self-signed certs are common among developers but not recommended for any production, nor even shared prod/QA scenario, because they create a false sense of security.

Having an internal, corporate CA is common practice among medium and large corporations, but then there's an internal team managing the CA which is, from a developer's perspective, the same as an external vendor such as Verisign. Just that the corporate CA is not trusted by default by web browsers and apps, but the IT team can configure their serves and employees workstations to trust that CA by default.

For some applications, using let's encrypt is a good alternative to buying a cert from a vendor such as Verisign or managing a corporate CA.

About EX280, you see in the official exam objectives that creating a self-signed cert is listed explicitly:

https://www.redhat.com/en/services/training/ex280-red-hat-certified-specialist-in-openshift-administ...

A course and its related exam do not need to match exactly. The exam is not just a repetition of course content, there's also an expectation of on-the-job experience or practice in a lab environment and that candidates would be able to adapt to different scenarios, using their skills and product documentation like in the real world.

All candidates are advised to review exam objectives and not assuming that "just" taking the recommended training is sufficient.

ericbos
Flight Engineer
Flight Engineer
  • 6,180 Views

As an exercise I would like to create an edge route with a self-signed cert and a CA cert that I extracted from secrets/router-ca in the openshift-ingress-operator namespace as tls.crt

oc create route edge todo-https --service todo-http --ca-cert=tls.crt

but when I do

oc describe route/todo-https

then I don't see the CA cert, and when I open the route in Firefox and look at the certificate the CA cert does not show.

If I do

curl -I -v --cacert tls.crt <route>

I get

...

*  SSL certificate verify ok.

...

so the CA cert is fine.

What am I doing wrong? Is this even possible?

ericbos
Flight Engineer
Flight Engineer
  • 6,164 Views

It is probably not possible. If I run

openssl x509 -in tls.crt -noout -subject

then I get

subject=CN = ingress-operator@162148...

Note: this is the CA cert of the Ingress Operator

EricJi
Mission Specialist
Mission Specialist
  • 5,835 Views

A general question. 

Regarding if we should choose edge or passthrough, I guess it also depends on the application.

For edge termination,  the application only has to serve HTTP service (port 80 or 8080), while for passthrough you have to configure the application to serve TLS on port 443 or 8443. Is above provided by the application? you also have to mount the secret to a specific location/path for application, right?

I guess the question is whether mutual authentication b/w app and client is required, or end-to-end encryption is needed. Do I get it right?

thanks

 

0 Kudos
Andrey-Asoskov
Flight Engineer
Flight Engineer
  • 5,800 Views

Hi, just passed EX-280 exam. Are you sure that it is requested to create a self signed certificate?

  • 5,137 Views

For EX280 Exam, do we need to know openssl commands to generate certificates or a peace of commands is available like at DO280 course? I am asking because I not sure if it part of exam objectives how to use openssl command, but only files that are created using it.

Could some clarify about it?

Join the discussion
You must log in to join this conversation.