About certgen, csr, and wildcard certificates


(Cornoualis) #1

Hi,

I'm desperately trying to enable TLS on my cluster (I want the node to use TLS for transport communication, for API access, and https for kibana).

My cluster is composed of 9 nodes, but may evolve in the future so I would like to have a wildcard certificate to use the same key/cert on every (future) member of the cluster.

I created DNS aliases for every member of my cluster as so:
nodename.mycluster.mycompany

Some examples:
master1.mycluster.mycompany
data2.mycluster.mycompany
...

Again, the idea is to allow my cluster to evolve without having to ask for new certificates every time.

In "short"...I want to have ONE certificate for *.myscluster.mycompany
I cannot use a wildcard based on the hostname since every servers use the same naming convention and using a wildcard at this level would allow far too many machine to use the cert/key.

In the documentation, I didn't find anything about it, and I tried different arguments for "certgen -csr"...but in the end it never worked.

What arguments should I use to get a proper certificate?

Thanks in advance!


(Cornoualis) #2

I found the solution!

Instance name: *.mycluster.mycompany
Ip: N/A
DNS name: *.mycluster.mycompany

The only problem remaining was the "Extended
Key Usage" field that is kept blank by certgen...by default, my PKI fill this field with "Server Authentication"...which prevented the certificate to work properly.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.