I had a question on an EX280 exam that requested to set a self-signed certificate for an app, specifying only the 'subj' field for the cert. No CA cert, no CA key was given. For this I presume it was asking to create a passthrough route.
How to resolve this? Only thing I can imagine is extracting some internal OpenShift CA and Key to subsequently sign via 'openssl x509' command but don't know how (if possible) to do this.
Any thoughts?
Hi
First, I am not related to that exam, so I might be wrong.
Second, you said you are asked to use a self-signed certificate for an app. By definition, self-signed certificates do not need any CA, but are signed by their own key.
If you are requested to create a passthrough route, you need to create the certificate on your own (using OpenSSL or any other means) and add it to your application. The application will be responsible for all TSL communications, and the route will do nothing but redirect traffic.
If possible, I would simply use an edge route. The communications outside the cluster will be TSL encrypted, but your application would need not worry about security concerns. Anyway, it depends a lot on the question, so not sure it is the right approach.
Hope that helps.
Jordi Sola
Hi
First, I am not related to that exam, so I might be wrong.
Second, you said you are asked to use a self-signed certificate for an app. By definition, self-signed certificates do not need any CA, but are signed by their own key.
If you are requested to create a passthrough route, you need to create the certificate on your own (using OpenSSL or any other means) and add it to your application. The application will be responsible for all TSL communications, and the route will do nothing but redirect traffic.
If possible, I would simply use an edge route. The communications outside the cluster will be TSL encrypted, but your application would need not worry about security concerns. Anyway, it depends a lot on the question, so not sure it is the right approach.
Hope that helps.
Jordi Sola
Thank you Jordi for the reply.
I didn't realize I can actually sign my own certificate without a CA (obviously!!!). This is due to the all exercises on DO280 course uses some sort of CA certs to sign it, so I didn't pay attention it was not strictly necessary.
The aforementioned question on the exam didn't specify any method to create this encryption (edge or passthrough) but I am presuming it has to be passthrough because it is asking me to generate a cert for the application. When we create an 'edge' route, Openshift will create it by itself (signing it using the CA certs in the 'router-ca' secret, present in 'openshift-ingress-operator' namespace) so we don't actually have to do anything specific in relation to this cert.
Thanks for your help!
Hello,
Am afraid, we should not discuss exam content in this list.
Not everyone here is an examiner.
Z.
JFYI self-signed certs are common among developers but not recommended for any production, nor even shared prod/QA scenario, because they create a false sense of security.
Having an internal, corporate CA is common practice among medium and large corporations, but then there's an internal team managing the CA which is, from a developer's perspective, the same as an external vendor such as Verisign. Just that the corporate CA is not trusted by default by web browsers and apps, but the IT team can configure their serves and employees workstations to trust that CA by default.
For some applications, using let's encrypt is a good alternative to buying a cert from a vendor such as Verisign or managing a corporate CA.
About EX280, you see in the official exam objectives that creating a self-signed cert is listed explicitly:
A course and its related exam do not need to match exactly. The exam is not just a repetition of course content, there's also an expectation of on-the-job experience or practice in a lab environment and that candidates would be able to adapt to different scenarios, using their skills and product documentation like in the real world.
All candidates are advised to review exam objectives and not assuming that "just" taking the recommended training is sufficient.
As an exercise I would like to create an edge route with a self-signed cert and a CA cert that I extracted from secrets/router-ca in the openshift-ingress-operator namespace as tls.crt
oc create route edge todo-https --service todo-http --ca-cert=tls.crt
but when I do
oc describe route/todo-https
then I don't see the CA cert, and when I open the route in Firefox and look at the certificate the CA cert does not show.
If I do
curl -I -v --cacert tls.crt <route>
I get
...
* SSL certificate verify ok.
...
so the CA cert is fine.
What am I doing wrong? Is this even possible?
It is probably not possible. If I run
openssl x509 -in tls.crt -noout -subject
then I get
subject=CN = ingress-operator@162148...
Note: this is the CA cert of the Ingress Operator
A general question.
Regarding if we should choose edge or passthrough, I guess it also depends on the application.
For edge termination, the application only has to serve HTTP service (port 80 or 8080), while for passthrough you have to configure the application to serve TLS on port 443 or 8443. Is above provided by the application? you also have to mount the secret to a specific location/path for application, right?
I guess the question is whether mutual authentication b/w app and client is required, or end-to-end encryption is needed. Do I get it right?
thanks
Hi, just passed EX-280 exam. Are you sure that it is requested to create a self signed certificate?
For EX280 Exam, do we need to know openssl commands to generate certificates or a peace of commands is available like at DO280 course? I am asking because I not sure if it part of exam objectives how to use openssl command, but only files that are created using it.
Could some clarify about it?
Red Hat
Learning Community
A collaborative learning environment, enabling open source skill development.