root_user
Cadet
Cadet
  • 696 Views

Create Self-Signed cert for an App - EX280 question

Jump to solution

I had a question on an EX280 exam that requested to set a self-signed certificate for an app, specifying only the 'subj' field for the cert. No CA cert, no CA key was given. For this I presume it was asking to create a passthrough route. 

How to resolve this? Only thing I can imagine is extracting some internal OpenShift CA and Key to subsequently sign via 'openssl x509' command but don't know how (if possible) to do this. 

 

Any thoughts? 

1 Solution

Accepted Solutions
jordisola
Flight Engineer
Flight Engineer
  • 529 Views

Re: Create Self-Signed cert for an App - EX280 question

Jump to solution

Hi

First, I am not related to that exam, so I might be wrong.

Second, you said you are asked to use a self-signed certificate for an app. By definition, self-signed certificates do not need any CA, but are signed by their own key. 

If you are requested to create a passthrough route, you need to create the certificate on your own (using OpenSSL or any other means) and add it to your application. The application will be responsible for all TSL communications, and the route will do nothing but redirect traffic.

If possible, I would simply use an edge route. The communications outside the cluster will be TSL encrypted, but your application would need not worry about security concerns. Anyway, it depends a lot on the question, so not sure it is the right approach.

Hope that helps.

Jordi Sola

 

View solution in original post

Reply
Loading...
6 Replies
jordisola
Flight Engineer
Flight Engineer
  • 530 Views

Re: Create Self-Signed cert for an App - EX280 question

Jump to solution

Hi

First, I am not related to that exam, so I might be wrong.

Second, you said you are asked to use a self-signed certificate for an app. By definition, self-signed certificates do not need any CA, but are signed by their own key. 

If you are requested to create a passthrough route, you need to create the certificate on your own (using OpenSSL or any other means) and add it to your application. The application will be responsible for all TSL communications, and the route will do nothing but redirect traffic.

If possible, I would simply use an edge route. The communications outside the cluster will be TSL encrypted, but your application would need not worry about security concerns. Anyway, it depends a lot on the question, so not sure it is the right approach.

Hope that helps.

Jordi Sola

 

View solution in original post

Reply
Loading...
root_user
Cadet
Cadet
  • 486 Views

Re: Create Self-Signed cert for an App - EX280 question

Jump to solution

Thank you Jordi for the reply. 

I didn't realize I can actually sign my own certificate without a CA (obviously!!!). This is due to the all exercises on DO280 course uses some sort of CA certs to sign it, so I didn't pay attention it was not strictly necessary. 

The aforementioned question on the exam didn't specify any method to create this encryption (edge or passthrough) but I am presuming it has to be passthrough because it is asking me to generate a cert for the application. When we create an 'edge' route, Openshift will create it by itself (signing it using the CA certs in the 'router-ca' secret, present in 'openshift-ingress-operator' namespace) so we don't actually have to do anything specific in relation to this cert. 

Thanks for your help!

Reply
Loading...
Zee
Flight Engineer Flight Engineer
Flight Engineer
  • 451 Views

Re: Create Self-Signed cert for an App - EX280 question

Jump to solution

Hello,

Am afraid, we should not discuss exam content in this list.

Not everyone here is an examiner.

Z.

Reply
Loading...
flozano
Moderator
Moderator
  • 327 Views

Re: Create Self-Signed cert for an App - EX280 question

Jump to solution

JFYI self-signed certs are common among developers but not recommended for any production, nor even shared prod/QA scenario, because they create a false sense of security.

Having an internal, corporate CA is common practice among medium and large corporations, but then there's an internal team managing the CA which is, from a developer's perspective, the same as an external vendor such as Verisign. Just that the corporate CA is not trusted by default by web browsers and apps, but the IT team can configure their serves and employees workstations to trust that CA by default.

For some applications, using let's encrypt is a good alternative to buying a cert from a vendor such as Verisign or managing a corporate CA.

About EX280, you see in the official exam objectives that creating a self-signed cert is listed explicitly:

https://www.redhat.com/en/services/training/ex280-red-hat-certified-specialist-in-openshift-administ...

A course and its related exam do not need to match exactly. The exam is not just a repetition of course content, there's also an expectation of on-the-job experience or practice in a lab environment and that candidates would be able to adapt to different scenarios, using their skills and product documentation like in the real world.

All candidates are advised to review exam objectives and not assuming that "just" taking the recommended training is sufficient.

Reply
Loading...
ericbos
Flight Engineer
Flight Engineer
  • 231 Views

Re: Create Self-Signed cert for an App - EX280 question

Jump to solution

As an exercise I would like to create an edge route with a self-signed cert and a CA cert that I extracted from secrets/router-ca in the openshift-ingress-operator namespace as tls.crt

oc create route edge todo-https --service todo-http --ca-cert=tls.crt

but when I do

oc describe route/todo-https

then I don't see the CA cert, and when I open the route in Firefox and look at the certificate the CA cert does not show.

If I do

curl -I -v --cacert tls.crt <route>

I get

...

*  SSL certificate verify ok.

...

so the CA cert is fine.

What am I doing wrong? Is this even possible?

Reply
Loading...
ericbos
Flight Engineer
Flight Engineer
  • 215 Views

Re: Create Self-Signed cert for an App - EX280 question

Jump to solution

It is probably not possible. If I run

openssl x509 -in tls.crt -noout -subject

then I get

subject=CN = ingress-operator@162148...

Note: this is the CA cert of the Ingress Operator

Reply
Loading...
Join the discussion
You must log in to join this conversation.