Director SSL Certificate Configuration with OpenSSL
Depending on you configuration, there are up to three endpoints to be secured using SSL certificates: The Director, the UAA, and the SAML Service Provider on the UAA.
Note
If you are using the UAA for user management, an SSL certificate is mandatory for the Director and the UAA.
Note
Unless you are using a configuration server, your SSL certificates will be stored in the Director's database.
Generate SSL certificates (with OpenSSL)¶
You can use the following script to generate a root CA certificate and use it to sign three generated SSL certificates:
#!/bin/bash set -e certs=`dirname $0`/certs rm -rf $certs && mkdir -p $certs cd $certs echo "Generating CA..." openssl genrsa -out rootCA.key 2048 yes "" | openssl req -x509 -new -nodes -key rootCA.key \ -out rootCA.pem -days 99999 function generateCert { name=$1 ip=$2 cat >openssl-exts.conf <<-EOL extensions = san [san] subjectAltName = IP:${ip} EOL echo "Generating private key..." openssl genrsa -out ${name}.key 2048 echo "Generating certificate signing request for ${ip}..." # golang requires to have SAN for the IP openssl req -new -nodes -key ${name}.key \ -out ${name}.csr \ -subj "/C=US/O=BOSH/CN=${ip}" echo "Generating certificate ${ip}..." openssl x509 -req -in ${name}.csr \ -CA rootCA.pem -CAkey rootCA.key -CAcreateserial \ -out ${name}.crt -days 99999 \ -extfile ./openssl-exts.conf echo "Deleting certificate signing request and config..." rm ${name}.csr rm ./openssl-exts.conf } generateCert director 10.244.4.2 # <--- Replace with public Director IP generateCert uaa-web 10.244.4.2 # <--- Replace with public Director IP generateCert uaa-sp 10.244.4.2 # <--- Replace with public Director IP echo "Finished..." ls -la .
Configure the Director to use certificates¶
Update the Director deployment manifest:
director.ssl.key- Private key for the Director (e.g. content of
certs/director.key)
- Private key for the Director (e.g. content of
director.ssl.cert- Associated certificate for the Director (e.g. content of
certs/director.crt) - Include all intermediate certificates if necessary
- Associated certificate for the Director (e.g. content of
hm.director_account.ca_cert- CA certificate used by the HM to verify the Director's certificate (e.g. content of
certs/rootCA.pem)
- CA certificate used by the HM to verify the Director's certificate (e.g. content of
Example manifest excerpt:
... jobs: - name: bosh properties: director: ssl: key: | -----BEGIN RSA PRIVATE KEY----- MII... -----END RSA PRIVATE KEY----- cert: | -----BEGIN CERTIFICATE----- MII... -----END CERTIFICATE----- ...
Note
A path to the key or certificate file is not supported.
If you are using the UAA for user management, additionally put certificates in these properties:
uaa.sslPrivateKey- Private key for the UAA (e.g. content of
certs/uaa-web.key)
- Private key for the UAA (e.g. content of
uaa.sslCertificate- Associated certificate for the UAA (e.g. content of
certs/uaa-web.crt) - Include all intermediate certificates if necessary
- Associated certificate for the UAA (e.g. content of
login.saml.serviceProviderKey- Private key for the UAA (e.g. content of
certs/uaa-sp.key)
- Private key for the UAA (e.g. content of
login.saml.serviceProviderCertificate- Associated certificate for the UAA (e.g. content of
certs/uaa-sp.crt)
- Associated certificate for the UAA (e.g. content of
Target the Director¶
After you deployed your Director with the above changes, you need to specify --ca-cert when targeting the Director:
bosh --ca-cert certs/rootCA.pem target 10.244.4.2
Note
If your certificates are trusted via system installed CA certificates, there is no need to provide --ca-cert option.