Director SSL Certificate Configuration with OpenSSL¶
Depending on you configuration, there are up to three endpoints to be secured using SSL certificates: The Director, the UAA, and the SAML Service Provider on the UAA.
Note
If you are using the UAA for user management, an SSL certificate is mandatory for the Director and the UAA.
Note
Unless you are using a configuration server, your SSL certificates will be stored in the Director's database.
Generate SSL certificates (with OpenSSL)¶
You can use the following script to generate a root CA certificate and use it to sign three generated SSL certificates:
#!/bin/bash
set -e
certs=`dirname $0`/certs
rm -rf $certs && mkdir -p $certs
cd $certs
echo "Generating CA..."
openssl genrsa -out rootCA.key 2048
yes "" | openssl req -x509 -new -nodes -key rootCA.key \
-out rootCA.pem -days 99999
function generateCert {
name=$1
ip=$2
cat >openssl-exts.conf <<-EOL
extensions = san
[san]
subjectAltName = IP:${ip}
EOL
echo "Generating private key..."
openssl genrsa -out ${name}.key 2048
echo "Generating certificate signing request for ${ip}..."
# golang requires to have SAN for the IP
openssl req -new -nodes -key ${name}.key \
-out ${name}.csr \
-subj "/C=US/O=BOSH/CN=${ip}"
echo "Generating certificate ${ip}..."
openssl x509 -req -in ${name}.csr \
-CA rootCA.pem -CAkey rootCA.key -CAcreateserial \
-out ${name}.crt -days 99999 \
-extfile ./openssl-exts.conf
echo "Deleting certificate signing request and config..."
rm ${name}.csr
rm ./openssl-exts.conf
}
generateCert director 10.244.4.2 # <--- Replace with public Director IP
generateCert uaa-web 10.244.4.2 # <--- Replace with public Director IP
generateCert uaa-sp 10.244.4.2 # <--- Replace with public Director IP
echo "Finished..."
ls -la .
Configure the Director to use certificates¶
Update the Director deployment manifest:
director.ssl.key- Private key for the Director (e.g. content of
certs/director.key)
- Private key for the Director (e.g. content of
director.ssl.cert- Associated certificate for the Director (e.g. content of
certs/director.crt) - Include all intermediate certificates if necessary
- Associated certificate for the Director (e.g. content of
hm.director_account.ca_cert- CA certificate used by the HM to verify the Director's certificate (e.g. content of
certs/rootCA.pem)
- CA certificate used by the HM to verify the Director's certificate (e.g. content of
Example manifest excerpt:
...
jobs:
- name: bosh
properties:
director:
ssl:
key: |
-----BEGIN RSA PRIVATE KEY-----
MII...
-----END RSA PRIVATE KEY-----
cert: |
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
...
Note
A path to the key or certificate file is not supported.
If you are using the UAA for user management, additionally put certificates in these properties:
uaa.sslPrivateKey- Private key for the UAA (e.g. content of
certs/uaa-web.key)
- Private key for the UAA (e.g. content of
uaa.sslCertificate- Associated certificate for the UAA (e.g. content of
certs/uaa-web.crt) - Include all intermediate certificates if necessary
- Associated certificate for the UAA (e.g. content of
login.saml.serviceProviderKey- Private key for the UAA (e.g. content of
certs/uaa-sp.key)
- Private key for the UAA (e.g. content of
login.saml.serviceProviderCertificate- Associated certificate for the UAA (e.g. content of
certs/uaa-sp.crt)
- Associated certificate for the UAA (e.g. content of
Target the Director¶
After you deployed your Director with the above changes, you need to specify --ca-cert when targeting the Director:
bosh --ca-cert certs/rootCA.pem target 10.244.4.2
Note
If your certificates are trusted via system installed CA certificates, there is no need to provide --ca-cert option.