forked from cloudfoundry/docs-bosh
-
Notifications
You must be signed in to change notification settings - Fork 0
/
director-certs.html.md.erb
104 lines (76 loc) · 3.14 KB
/
director-certs.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
---
title: Director SSL Certificate Configuration
---
## <a id="generate"></a> Generate SSL certificates
Depending on you configuration, there are up to three endpoints to be secured using SSL certificates: The Director, the UAA, and the SAML Service Provider on the UAA.
<p class="note">Note: If you are using the UAA for user management, an SSL certificate is mandatory for the Director and the UAA.</p>
You can use the following script to generate a root CA certificate and use it to sign three generated SSL certificates:
<pre class="bash">
#!/bin/bash
set -e
certs=`dirname $0`/certs
rm -rf $certs && mkdir -p $certs
cd $certs
echo "Generating CA..."
openssl genrsa -out rootCA.key 2048
yes "" | openssl req -x509 -new -nodes -key rootCA.key \
-out rootCA.pem -days 99999
function generateCert {
name=$1
ip=$2
cat >openssl-exts.conf <<-EOL
extensions = san
[san]
subjectAltName = IP:${ip}
EOL
echo "Generating private key..."
openssl genrsa -out ${name}.key 2048
echo "Generating certificate signing request for ${ip}..."
# golang requires to have SAN for the IP
openssl req -new -nodes -key ${name}.key \
-out ${name}.csr \
-subj "/C=US/O=BOSH/CN=${ip}"
echo "Generating certificate ${ip}..."
openssl x509 -req -in ${name}.csr \
-CA rootCA.pem -CAkey rootCA.key -CAcreateserial \
-out ${name}.crt -days 99999 \
-extfile ./openssl-exts.conf
echo "Deleting certificate signing request and config..."
rm ${name}.csr
rm ./openssl-exts.conf
}
generateCert director 10.244.4.2 # <--- Replace with public Director IP
generateCert uaa-web 10.244.4.2 # <--- Replace with public Director IP
generateCert uaa-sp 10.244.4.2 # <--- Replace with public Director IP
echo "Finished..."
ls -la .
</pre>
---
## <a id="configure"></a> Configure the Director to use certificates
Update the Director deployment manifest:
- `director.ssl.key`
- Private key for the Director (e.g. `certs/director.key`)
- `director.ssl.cert`
- Associated certificate for the Director (e.g. `certs/director.crt`)
- Include all intermediate certificates if necessary
- `hm.director_account.ca_cert`
- CA certificate used by the HM to verify the Director's certificate (e.g. `certs/rootCA.pem`)
If you are using the UAA for user management, additionally put certificates in these properties:
- `uaa.sslPrivateKey`
- Private key for the UAA (e.g. `certs/uaa-web.key`)
- `uaa.sslCertificate`
- Associated certificate for the UAA (e.g. `certs/uaa-web.crt`)
- Include all intermediate certificates if necessary
- `login.saml.serviceProviderKey`
- Private key for the UAA (e.g. `certs/uaa-sp.key`)
- `login.saml.serviceProviderCertificate`
- Associated certificate for the UAA (e.g. `certs/uaa-sp.crt`)
---
## <a id="target"></a> Target the Director
After you deployed your Director with the above changes, you need to specify `--ca-cert` when targeting the Director:
<pre class="terminal">
$ bosh --ca-cert certs/rootCA.pem target 10.244.4.2
</pre>
<p class="note">Note: If your certificates are trusted via system installed CA certificates, there is no need to provide `--ca-cert` option.</p>
---
[Back to Table of Contents](index.html#install)