IBM Z® Open Editor

IBM Wazi Developer for Red Hat CodeReady Workspaces: Set up an SSL Certificate in an OpenShift Container Platform

by Arvin Bhatnagar

A number of cloud based applications that run on OpenShift® Container Platform (OCP) uses a signed SSL certificateopen in new window to provide encryption over the wire. For instance, IBM® Wazi Developer for Red Hat® CodeReady Workspacesopen in new window, a single integrated solution that delivers a cloud native development experience for z/OS®, uses a signed SSL certificate for encryption by default. More information about IBM Wazi Developer for Red Hat CodeReady Workspaces can be found in the IBM Documentationopen in new window.

Why a signed SSL certificate is needed

Setting up an OpenShift Container Platform with a signed SSL certificate can present a number of challenges. The challenges are due to complex cloud architectures and the various formats and types of certificates to contend with. These complexities and the volume of information can make the overall process overwhelming to simply replace a default self-signed certificate with a signed certificate from a trusted CA server.

An OCP Ingress Controlleropen in new window accepts external web based requests and proxys them based on the configured routes. The default certificate for an Ingress Controller is a self-signed certificate used for all applications under the .apps subdomain. Replacing the default certificate with one issued by a public Certificate of Authority (CA) allows incoming requests to connect securely to cloud based applications without the hassle of security warnings.

How to set up a signed SSL certificate

  1. Request a certificate.

    The certificate for the Ingress Controller .apps subdomain must be a wildcard certificate. For example, if the domain of the OCP is openshift.ibm.com then the wildcard would be *.apps.openshift.ibm.com. A sample certificate server request using the OpenSSL toolopen in new window would be something similar to the following:

    openssl req -new -sha256 -nodes -out certserverrequest.csr -newkey rsa:2048 -keyout certserverkey.key -config <(
cat <<-EOF
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
[ dn ]
C=US
ST=State
L=Local
O=IBM
OU=Cluster Admins R Us
CN=*.apps.openshift.ibm.com

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.apps.openshift.ibm.com
EOF
)

    Note: Remember to save the generated private key file. We will be using this later on. Also, the OpenSSL tool is not installed on Windows by default.

  2. Convert the format of the certificate.

    Certificates come in multiple formats. Ultimately we need a certificate in PEM or Privacy Enhanced Mail format to install into the OCP. A PEM formatted certificate, when opened with a text editor will start with -----BEGIN CERTIFICATE----- followed by a Base64 encoded DER certificate and end with -----END CERTIFICATE-----. A PEM formatted certificate can contain multiple certificates, this is important because we will need to combine the wildcard certificate, the intermediate certificate, and the root certificate into a single file for installing into the OCP.

    Once a certificate is issued from the CA it might be in a PKCS#12 or PFX format which is an encrypted file. To convert a PKCS#12 certificate into a PEM formatted certificate issue the following openssl command. Remember to do this for the intermediate and root certificates as well (if needed).

    openssl x509 -inform DER -outform DER -text -in <issuedcert.crt> -out <issuedcert.pem>

  3. Combine the issued wildcard certificate, the intermediate certificate, and the root certificate into a single PEM formatted certificate.

    cat <issuedcert.pem> <intermediatecert.pem> <rootcert.pem> > ocpcert.pem

Deploy the SSL Certificate into OCP

  1. Log in to the OCP.

    oc login https://api.openshift.ibm.com:6443 -u kubeadmin

  2. Create a configmap called custom-ca in the openshift-config namespace using ocpcert.pem.

    oc create configmap custom-ca --from-file=ca-bundle.crt=<ocpcert.pem> -n openshift-config

  3. Update the cluster-wide proxy configuration with the configmap we just created.

    oc patch proxy/cluster --type=merge --patch='{"spec":{"trustedCA":{"name":"custom-ca"}}}'

  4. Create a secret for the certificate and private key using ocpcert.pem and certserverkey.key.

    oc create secret tls <Secret Name> --cert=<ocpcert.pem> --key=<certserverkey.key> -n openshift-ingress

  5. Update the Ingress Controller configuration with the secret we just created.

    oc patch ingresscontroller.operator default --type=merge -p '{"spec":{"defaultCertificate": {"name": "<Secret Name>"}}}' -n openshift-ingress-operator

    Reference Replacing the default ingress certificateopen in new window

When a signed SSL certificate iss issued by a trusted CA server, then there is no further configurations required by the client browser accessing applications running on the OpenShift Container Platform from the .apps subdomain. It is recommended to use certificates from a trusted CA server versus a self-signed SSL certificate which would require further configurations on all client browsers to import both the intermediate and root certificates.

The approach and instructions introduced in this article applies to an OpenShift Container Platform 4.3, but it might be applicable to later versions. Always confirm with the OpenShift documentation before proceeding.

Last Updated:
Contributors: Arvin Bhatnagar, Hestia Zhang, Min Huang, Peter Haumer, Peter Haumer, kmaselli