When generating your own certificates for use with API connect you need to ensure the x509 extension options are correctly set. Adrian Osadcenco, Chris Twomey and Michael O’Sullivan put together this script which i have been using. The script generates all the required certificates that can then be used during the configuration.

This script below was used for appliances (OVAs) and so all of the management endpoints are set to to the same address

#!/bin/bash
#Global variables
MGMT=management-appliance.ibm.com
ANALYTISCLIENT=analytics-client-appliance.ibm.com
ANALYTICSINGESTION=analytics-ingestion-appliance.ibm.com
PORTAL_ADMIN=portal-admin-appliance.ibm.com
PORTALURL=portal-appliance.ibm.com
# Root Key
openssl genrsa -out rootCA.key 4096
# Root CA
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt -subj "/C=IE/ST=Cork/O=cloud, Inc./CN=gdsgdfgdf"
#variables
VAR_SUBJ[1]="/C=IE/ST=Cork/O=cloud, Inc./CN=$"
VAR_KEY[1]=platform-api
VAR_EXT[1]="\n[SAN]\nsubjectAltName=DNS:$,DNS:$\nextendedKeyUsage=serverAuth"
VAR_SUBJ[2]="/C=IE/ST=Cork/O=cloud, Inc./CN=$"
VAR_KEY[2]=consumer-api
VAR_EXT[2]="\n[SAN]\nsubjectAltName=DNS:$,DNS:$\nextendedKeyUsage=serverAuth"
VAR_SUBJ[3]="/C=IE/ST=Cork/O=cloud, Inc./CN=$"
VAR_KEY[3]=api-manager-ui
VAR_EXT[3]="\n[SAN]\nsubjectAltName=DNS:$,DNS:$\nextendedKeyUsage=serverAuth"
VAR_SUBJ[4]="/C=IE/ST=Cork/O=cloud, Inc./CN=$"
VAR_KEY[4]=cloud-admin-ui
VAR_EXT[4]="\n[SAN]\nsubjectAltName=DNS:$,DNS:$\nextendedKeyUsage=serverAuth"
VAR_SUBJ[5]="/C=IE/ST=Cork/O=cloud, Inc./CN=$"
VAR_KEY[5]=portal-admin-ingress
VAR_EXT[5]="\n[SAN]\nsubjectAltName=DNS:$,DNS:$\nextendedKeyUsage=serverAuth"
VAR_SUBJ[6]="/C=IE/ST=Cork/O=cloud, Inc./CN=$"
VAR_KEY[6]=portal-www-ingress
VAR_EXT[6]="\n[SAN]\nsubjectAltName=DNS:$,DNS:$\nextendedKeyUsage=serverAuth"
VAR_SUBJ[7]="/C=IE/ST=Cork/O=cloud, Inc./CN=$"
VAR_KEY[7]=analytics-client-ingress
VAR_EXT[7]="\n[SAN]\nsubjectAltName=DNS:$,DNS:$\nextendedKeyUsage=serverAuth"
VAR_SUBJ[8]="/C=IE/ST=Cork/O=cloud, Inc./CN=$"
VAR_KEY[8]=analytics-ingestion-ingress
VAR_EXT[8]="\n[SAN]\nsubjectAltName=DNS:$,DNS:$\nextendedKeyUsage=serverAuth"
VAR_SUBJ[9]="/C=IE/ST=Cork/O=cloud, Inc./CN=portal-client"
VAR_KEY[9]=portal-client
VAR_EXT[9]="\n[SAN]\nkeyUsage=critical, digitalSignature, keyEncipherment\nextendedKeyUsage = clientAuth\nbasicConstraints=critical, CA:FALSE\nsubjectKeyIdentifier=hash\n"
VAR_SUBJ[10]="/C=IE/ST=Cork/O=cloud, Inc./CN=analytics-ingestion-client"
VAR_KEY[10]=analytics-ingestion-client
VAR_EXT[10]="\n[SAN]\nkeyUsage=critical, digitalSignature, keyEncipherment\nextendedKeyUsage = clientAuth\nbasicConstraints=critical, CA:FALSE\nsubjectKeyIdentifier=hash\n"
VAR_SUBJ[11]="/C=IE/ST=Cork/O=cloud, Inc./CN=analytics-client-client"
VAR_KEY[11]=analytics-client-client
VAR_EXT[11]="\n[SAN]\nkeyUsage=critical, digitalSignature, keyEncipherment\nextendedKeyUsage = clientAuth\nbasicConstraints=critical, CA:FALSE\nsubjectKeyIdentifier=hash\n"
# VAR_SUBJ[9]="/C=IE/ST=Cork/O=cloud, Inc./CN=gw.192.168.151.22.nip.io"
# VAR_KEY[9]=api-gateway-ingress
# VAR_EXT[9]="\nsubjectAltName=DNS:gw.192.168.151.22.nip.io,DNS:gw.192.168.151.22.nip.io\nextendedKeyUsage=serverAuth"
#
# VAR_SUBJ[10]="/C=IE/ST=Cork/O=cloud, Inc./CN=gwd.192.168.151.22.nip.io"
# VAR_KEY[10]=api-gateway-service-ingress
# VAR_EXT[10]="\nsubjectAltName=DNS:gwd.192.168.151.22.nip.io,DNS:gwd.192.168.151.22.nip.io\nextendedKeyUsage=serverAuth"
#main
i=1
while [ $i -le $ ]; do
  echo --  $]} --
  echo --  $]} --
  echo --  $]} --
  openssl genrsa -out $]}.key 2048
  if [ $? != 0 ] ; then exit 1 ; fi
  # openssl req -new -sha256 -key $]}.key -subj $]} -out $]}.csr
  openssl req -new -sha256 -key $]}.key -subj "$]}" -out $]}.csr
  if [ $? != 0 ] ; then exit 1 ; fi
   openssl x509 -req -in $]}.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out $]}.crt -days 500 -sha256 -extfile <(cat /etc/ssl/openssl.cnf <(printf "$]}")) -extensions SAN
  if [ $? != 0 ] ; then exit 1 ; fi
  let i+=1
done

By Chris Phillips on November 16, 2018.

Canonical link

Exported from Medium on April 6, 2019.