Home Navigation

Friday, 31 January 2025

How to Create a Self-Signed Certificate: A Step-by-Step Guide

Create Self-Signed Certificate

In today's digital landscape, secure communication is essential. Whether you're setting up a development environment, testing SSL/TLS configurations, or securing internal services, a self-signed certificate can be a handy solution. This guide walks you through creating a self-signed certificate using OpenSSL.

What is a Self-Signed Certificate?

A self-signed certificate is an SSL/TLS certificate that is not issued by a trusted Certificate Authority (CA). Instead, it is generated and signed by the same entity that intends to use it. While not suitable for public-facing websites, self-signed certificates are useful for testing, internal applications, and development environments.

Prerequisites

Before generating a self-signed certificate, ensure you have OpenSSL installed. Most Linux and macOS systems include OpenSSL by default. Windows users can download it from OpenSSL's official website.

To check if OpenSSL is installed, run the following command:

openssl version

If OpenSSL is installed, you should see the version number.

Step 1: Generate a Private Key

The first step in creating a self-signed certificate is generating a private key. This key is essential for encrypting and decrypting information.

Run the following command to generate a 2048-bit RSA private key:

Generate a private key with a passphrase:

openssl genpkey \
-algorithm RSA \
-out private.key -aes256

You will be prompted to enter a passphrase. Choose a strong passphrase and remember it.

Generate a private key without a passphrase:

openssl genpkey \
-algorithm RSA \
-out private.key

Step 2: Create a Certificate Signing Request (CSR)

A CSR contains information about your organization and domain. Generate a CSR using the following command:

openssl req -new -key private.key -out certificate.csr

You will be prompted to enter details such as:

  • Country Name (e.g., US)
  • State or Province Name (e.g., California)
  • Locality Name (e.g., San Francisco)
  • Organization Name (e.g., MyCompany Inc.)
  • Organizational Unit Name (e.g., IT Department)
  • Common Name (e.g., example.com)
  • Email Address

Ensure the Common Name (CN) matches the domain or IP where the certificate will be used.

Step 3: Generate the Self-Signed Certificate

Use the following command to create a self-signed certificate valid for 365 days:

openssl x509 -req \
-days 365 \
-in certificate.csr \
-signkey private.key \
-out selfsigned.crt

Step 4: Create a Wildcard Certificate (Optional)

If you need a wildcard certificate to cover all subdomains (e.g., *.example.com), modify the CSR by specifying a wildcard CN:


openssl req -new \
-key private.key \
-out wildcard.csr \
-subj "/C=US/ST=California/L=San Francisco/O=MyCompany Inc./OU=IT Department/CN=*.example.com"

Then generate the self-signed wildcard certificate:

openssl x509 -req \
-days 365 \
-in wildcard.csr \
-signkey private.key -out wildcard.crt

Step 5: Verify the Certificate

To check the details of your certificate, run:

openssl x509 -in selfsigned.crt -noout -text

This command displays the certificate information, including validity and issuer details.

Step 6: Convert to PKCS#12 (Optional)

If you need a .pfx file for Windows or other applications, convert the certificate as follows:

openssl pkcs12 -export -out selfsigned.pfx -inkey private.key -in selfsigned.crt

You will be asked to set an export password for the .pfx file.

Conclusion

You've successfully created a self-signed SSL certificate using OpenSSL! This certificate can now be used for testing, securing internal applications, or local development. However, for production environments, always use a certificate from a trusted Certificate Authority (CA) to ensure security and trust.

If you have any questions or need further guidance, feel free to ask in the comments!

Posted by at No comments:
Labels: ,

Thursday, 17 October 2024

Steps to Get Image Pull Secret for IBM Container Registry

Steps to Get Image Pull Secret for IBM Container Registry

  1. Log in to IBM Cloud CLI: If you haven't already, install the IBM Cloud CLI and log in to your IBM Cloud account:


    ibmcloud login

  2. Install the Container Registry Plugin: If you don’t have the Container Registry plugin installed, install it:


    ibmcloud plugin install container-registry

  3. Log in to IBM Container Registry: After installing the plugin, log in to the IBM Cloud Container Registry:

    ibmcloud cr login

  4. Generate API Key (Optional, but preferred for automation): Create an API key to securely authenticate with the IBM Container Registry. You can use it later to create the image pull secret in OpenShift:

    ibmcloud iam api-key-create MyAPIKey \
-d "API key for OpenShift pull" --file my-api-key.json

  5. Create an Image Pull Secret in OpenShift: Now, create the secret that allows OpenShift to pull images from the IBM Container Registry. You can use your IBM Cloud account credentials or an API key for authentication.

    For API Key authentication:

    oc create secret docker-registry ibm-cr-secret \
  --docker-server=icr.io \
  --docker-username=iamapikey \
  --docker-password=$(cat my-api-key.json | jq -r .apikey) \
  --docker-email=<your-email>

    Replace:

    • icr.io with the appropriate IBM Container Registry region endpoint (us.icr.io, eu.icr.io, jp.icr.io, etc.).
    • <your-email> with your email address.

    For IBM Cloud Username/Password authentication:

    oc create secret docker-registry ibm-cr-secret \
      --docker-server=icr.io \
  --docker-username=iamapikey \
  --docker-password=$(ibmcloud iam oauth-tokens | awk '{print $4}') \
  --docker-email=<your-email>

  6. Link the Image Pull Secret to a Service Account: To use this secret, associate it with the default service account in your project:

    oc secrets link default ibm-cr-secret --for=pull

  7. Ensure the secret is linked to the default service account:

    oc get serviceaccount default -o yaml

  8. Deploy the Container: Once the image pull secret is in place, you can deploy the container in OpenShift by creating a deployment configuration or pod that uses the image from IBM Container Registry:

    apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-app
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
      - name: my-container
        image: icr.io/namespace/my-image:tag
      imagePullSecrets:
      - name: ibm-cr-secret

After this, OpenShift will pull the image from IBM Cloud Container Registry using the credentials stored in the secret.

Region Endpoints for IBM Container Registry

Choose the correct container registry endpoint based on your region:

  • us.icr.io - US South
  • eu.icr.io - Frankfurt
  • jp.icr.io - Tokyo

Make sure to replace the region in the docker-server and image URL accordingly.

Posted by at No comments:
Labels: , ,

podman version 5.1.2 push image got Error: unexpected EOF

With podman version 5.1.2  when I tried to push a large image specially 3.5 GB I was having issue with Error: unexpected EOF. My platform is Mac book pro.

After some googling and debugging figured it was a memory issue. By default assigned memory in podman virtual machine is not enough.  So I had to manually assign a bit more memory to the podman virtual machine.

Here are the steps to that solved the issue


podman machine stop

podman machine rm
podman machine init -m 4096 

podman machine start

Happy learning!

Posted by at No comments:
Labels: ,

Thursday, 11 April 2024

Openshift: Attach volume failed: CSINode does not contain driver vpc.block.csi.ibm.io

I encountered an error in the OpenShift cluster. It said that 'AttachVolume.Attach' failed because the CSINode 10.240.0.9 does not contain the 'vpc.block.csi.ibm.io' driver. As a result, all the pods connected to the volume were failing and couldn't start the pod.


After researching, I discovered that the Block Storage for VPC addon was on an older version, 5.0, and it was in critical status. All I needed to do was update the addon from version 5.0 to 5.1


Here are the commands to fix the issue,

Check addOn status

ibmcloud ks cluster addon ls -c <OpenShift cluster Id/Name>

OK

Name                   Version              Health State   Health Status   

vpc-block-csi-driver   5.0* (5.1 default)   critical       Addon Unsupported. For more info: http://ibm.biz/addon-state (H1509)

Update addOn version

 ibmcloud ks cluster addon update vpc-block-csi-driver -c <OpenShift cluster Id/Name> --version 5.1



Posted by at No comments:
Labels: ,

Friday, 27 October 2023

Setting up Artifactory repository for python pip package

Generate token

  • Login to Artifactory
  • Go to top right corner and click on the menu Edit profile
  • Then Click on Generate an Identity token
  • Copy the generated token

Setting up the token

  • From the command terminal open pip.config file, location ~/.pip/pip.config
  • add an entry like below

[global]

index-url = https://<ARTIFACTORY_USER>:<ARTIFACTORY_API_KEY>@<ARTIFACTORY_URL>/<ARTIFACTORY_REPO>

Posted by at No comments:
Labels:

Friday, 7 July 2023

Connect to elasticsearch using python

 Based on your elasticsearch version, you have to install the Python Elasticsearch Client.

I am using elasticsearch version 7.10

# Elasticsearch 7.x
elasticsearch>=7.0.0,<8.0.0

# Elasticsearch 6.x
elasticsearch>=6.0.0,<7.0.0

# Elasticsearch 5.x
elasticsearch>=5.0.0,<6.0.0

# Elasticsearch 2.x
elasticsearch>=2.0.0,<3.0.0

Prepare your environment

python3 -m venv backend
source backend/bin/activate
pip3 install elasticsearch===7.10.1

Code

from elasticsearch import Elasticsearch
from elasticsearch.exceptions import RequestError

# Create an instance of Elasticsearch with TLS options
es = Elasticsearch(
'https://<user>:<password>@<host>:<port>',
ca_certs='<cert_file>'
)

print("=======================================================")

info = es.info()
print(info)
print("=======================================================")

# Test the connection and create an index
index_name = 'my_index'

try:
es.indices.create(index=index_name)
print(f"Index '{index_name}' created successfully.")
except RequestError as e:
if e.error == 'resource_already_exists_exception':
print(f"Index '{index_name}' already exists.")
else:
print(f"An error occurred while creating index '{index_name}': {e}")


document = {
'title': 'Example Document',
'content': 'This is the content of the document.'
}

# Add the document to the index
response = es.index(index=index_name, body=document)
print("=======================================================")
print(response)

Run

python3 app.py


Enjoy!


Ref: https://elasticsearch-py.readthedocs.io/en/v7.10.1/

https://www.elastic.co/guide/en/elasticsearch/client/python-api/current/getting-started-python.html




Posted by at No comments:
Labels: ,

Wednesday, 26 April 2023

A simple script to build and push docker image to an OpenShift internal registry

echo "building the gradle project" ./gradlew clean bootJar echo "building docker image" TAG=1.0.1 NAME=image-name NAMESPACE=namespace-name docker build -t $NAME:$TAG . echo "pushing image to openshift internal registry" export REGISTRY=$(oc get routes -n openshift-image-registry -o jsonpath='{.items[0].spec.host}') echo $(oc whoami -t) | docker login $REGISTRY -u $(oc whoami) --password-stdin docker tag $NAME:$TAG $REGISTRY/$NAMESPACE/$NAME:$TAG docker push $REGISTRY/$NAMESPACE/$NAME:$TAG
Posted by at No comments:
Subscribe to: Posts (Atom)