Category: Linux

OpenSSL Creating Wildcard Certificate Request

0
OpenSSL Wildcard Certificate Request

In this short blog post, we will create an OpenSSL request for a wildcard certificate. We are going over the installation, configuration, and request. I am performing the steps on a Windows 11-based machine and requesting the certificate at https://www.xolphin.nl/ an external certificate provider, this can also be an internal certificate provider like Microsoft Active Directory Certificate Services (ADCS).

Leveraging a wildcard certificate can be used for many purposes. This can be an internal or external certificate. On a load balancer or a web server with multiple https services. In my case, I am using it for my Lab environment with a load balancer. I am trying to eliminate the certificate complexity for some simple testing of web applications in Kubernetes.

Environment

My environment for performing this operation is as followed:

  • Operating System: Windows 11 X64
  • Public internet access: yes
  • Permissions on the system: Administrator

Installation of OpenSSL on Windows 11

To install OpenSSL on a Windows 11 machine the easiest way is with the package manager “Choco“. Open a PowerShell command prompt with administrative permissions and run the following command:

# Installation of OpenSSL on your system
choco install openssl
PS C:\windows\system32> choco install openssl
Chocolatey v1.4.0
Installing the following packages:
openssl
By installing, you accept licenses for the packages.
Progress: Downloading vcredist2015 14.0.24215.20170201... 100%
Progress: Downloading vcredist140 14.36.32532... 100%
Progress: Downloading chocolatey-core.extension 1.4.0... 100%
Progress: Downloading chocolatey-compatibility.extension 1.0.0... 100%
Progress: Downloading KB3033929 1.0.5... 100%
Progress: Downloading chocolatey-windowsupdate.extension 1.0.5... 100%
Progress: Downloading KB3035131 1.0.3... 100%
Progress: Downloading KB2919355 1.0.20160915... 100%
Progress: Downloading KB2919442 1.0.20160915... 100%
Progress: Downloading KB2999226 1.0.20181019... 100%
Progress: Downloading openssl 3.1.1... 100%

chocolatey-compatibility.extension v1.0.0 [Approved]
chocolatey-compatibility.extension package files install completed. Performing other installation steps.
 Installed/updated chocolatey-compatibility extensions.
 The install of chocolatey-compatibility.extension was successful.
  Software installed to 'C:\ProgramData\chocolatey\extensions\chocolatey-compatibility'

chocolatey-core.extension v1.4.0 [Approved]
chocolatey-core.extension package files install completed. Performing other installation steps.
 Installed/updated chocolatey-core extensions.
 The install of chocolatey-core.extension was successful.
  Software installed to 'C:\ProgramData\chocolatey\extensions\chocolatey-core'

chocolatey-windowsupdate.extension v1.0.5 [Approved]
chocolatey-windowsupdate.extension package files install completed. Performing other installation steps.
 Installed/updated chocolatey-windowsupdate extensions.
 The install of chocolatey-windowsupdate.extension was successful.
  Software installed to 'C:\ProgramData\chocolatey\extensions\chocolatey-windowsupdate'

KB3035131 v1.0.3 [Approved]
kb3035131 package files install completed. Performing other installation steps.
The package KB3035131 wants to run 'ChocolateyInstall.ps1'.
Note: If you don't run this script, the installation will fail.
Note: To confirm automatically next time, use '-y' or consider:
choco feature enable -n allowGlobalConfirmation
Do you want to run the script?([Y]es/[A]ll - yes to all/[N]o/[P]rint): A

Skipping installation because update KB3035131 does not apply to this operating system (Microsoft Windows 11 Pro).
 The install of kb3035131 was successful.
  Software install location not explicitly set, it could be in package or
  default install location of installer.

KB3033929 v1.0.5 [Approved]
kb3033929 package files install completed. Performing other installation steps.
Skipping installation because update KB3033929 does not apply to this operating system (Microsoft Windows 11 Pro).
 The install of kb3033929 was successful.
  Software install location not explicitly set, it could be in package or
  default install location of installer.

KB2919442 v1.0.20160915 [Approved]
kb2919442 package files install completed. Performing other installation steps.
Skipping installation because this hotfix only applies to Windows 8.1 and Windows Server 2012 R2.
 The install of kb2919442 was successful.
  Software install location not explicitly set, it could be in package or
  default install location of installer.

KB2919355 v1.0.20160915 [Approved]
kb2919355 package files install completed. Performing other installation steps.
Skipping installation because this hotfix only applies to Windows 8.1 and Windows Server 2012 R2.
 The install of kb2919355 was successful.
  Software install location not explicitly set, it could be in package or
  default install location of installer.

KB2999226 v1.0.20181019 [Approved] - Possibly broken
kb2999226 package files install completed. Performing other installation steps.
Skipping installation because update KB2999226 does not apply to this operating system (Microsoft Windows 11 Pro).
 The install of kb2999226 was successful.
  Software install location not explicitly set, it could be in package or
  default install location of installer.

vcredist140 v14.36.32532 [Approved]
vcredist140 package files install completed. Performing other installation steps.
Runtime for architecture x86 version 14.36.32532 is already installed.
Runtime for architecture x64 version 14.36.32532 is already installed.
 The install of vcredist140 was successful.
  Software install location not explicitly set, it could be in package or
  default install location of installer.

vcredist2015 v14.0.24215.20170201 [Approved]
vcredist2015 package files install completed. Performing other installation steps.
 The install of vcredist2015 was successful.
  Software installed to 'C:\ProgramData\chocolatey\lib\vcredist2015'

openssl v3.1.1 [Approved]
openssl package files install completed. Performing other installation steps.
Installing 64-bit openssl...
openssl has been installed.
WARNING: No registry key found based on  'OpenSSL-Win'
PATH environment variable does not have C:\Program Files\OpenSSL-Win64\bin in it. Adding...
WARNING: OPENSSL_CONF has been set to C:\Program Files\OpenSSL-Win64\bin\openssl.cfg
  openssl can be automatically uninstalled.
Environment Vars (like PATH) have changed. Close/reopen your shell to
 see the changes (or in powershell/cmd.exe just type `refreshenv`).
 The install of openssl was successful.
  Software installed to 'C:\Program Files\OpenSSL-Win64\'

Chocolatey installed 11/11 packages.
 See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).

Installed:
 - kb3033929 v1.0.5
 - chocolatey-windowsupdate.extension v1.0.5
 - vcredist140 v14.36.32532
 - kb2999226 v1.0.20181019
 - kb2919355 v1.0.20160915
 - chocolatey-core.extension v1.4.0
 - kb2919442 v1.0.20160915
 - vcredist2015 v14.0.24215.20170201
 - chocolatey-compatibility.extension v1.0.0
 - openssl v3.1.1
 - kb3035131 v1.0.3
PS C:\windows\system32>

Configuration OpenSSL on Windows 11

To create a certificate you need to tell OpenSSL what to generate. So we create a configuration file for OpenSSL that specifies what type of certificate should be generated.

Create the following configuration file called “config.cfg“. This is the configuration file that will be used by OpenSSL when running the command listed below. Make sure you change your domain name and information in the configuration file.

[ req ]
default_bits            = %In most cased: 2048 or 4094%
default_keyfile         = %key file name%
default_md              = sha512
distinguished_name      = req_distinguished_name
encrypt_key             = no
prompt                  = no

[ req_distinguished_name ]
commonName              = %Certificate address > your wildcard%
countryName             = %Company country code%
emailAddress            = %Administrator/IT email%
localityName            = %Company location%
organizationName        = %Company name%
organizationalUnitName  = %Company department%
stateOrProvinceName     = %Company location province%
[ req ]
default_bits            = 4096
default_keyfile         = wildcard.domain.com.key
default_md              = sha512
distinguished_name      = req_distinguished_name
encrypt_key             = no
prompt                  = no

[ req_distinguished_name ]
commonName              = *.domain.com
countryName             = NL
emailAddress            = admin@domain.com
localityName            = Amsterdam
organizationName        = Domain B.V.
organizationalUnitName  = IT
stateOrProvinceName     = Noord-Holland

OpenSSL Creating Wildcard Certificate Request

Now it is time for generating the certificate request that can be delivered to your certificate provider. This can be done by running the following command in an elevated PowerShell command-prompt.

# Set the path variable
$path = "c:\Users\$Env:UserName\Desktop\cert"

# Create directory
mkdir $path

# Copy the config.cfg into the $path location (manually)

# Create the certificate request
openssl req -new -nodes -out "$path\wildcard.domain.com.csr" -config "$path\config.cfg" -keyout "$path\wildcard.domain.com.key"

# After running the commands, you will end up with three files in the $path location
- config.cfg
- wildcard.domain.com.csr
- wildcard.domain.com.key

Signing the request

Go to your certificate provider website and upload the “wildcard.domain.com.csr” file. You should receive the wildcard certificate in a couple of minutes/hours depending on the certificate provider.

Wrap up

So this is my blog post about creating a wildcard certificate with OpenSSL. Hopefully, it is useful for somebody, please respond below if you have any comments or additional information! See you next time! 🙂

Changing VMware Storage Controller to Paravirtual for CentOS 7

1

In this post, we are going to change the Virtual Storage Controller from LSI Logic Parallel to VMware Paravirtual for a CentOS 7 based Virtual Machine that is running on VMware vSphere. This blog post will contain step-by-step guidance for performing the operation.

In my case the virtual machine was built in VMware Workstation and after some time migrated to VMware ESXi. The VMware Paravirtual Storage Controller is not supported in VMware Workstation. That is why the virtual machine came over with the “wrong” storage controller.

My 24×7 Lab environment is running shared iSCSI based storage and all virtual machines are thin provisioned. The Virtual Machine that came over from VMware Workstation is installed with CentOS 7.

Why VMware Paravirtual?

Why should you want to migrate from an LSI Logic Parallel to a VMware Paravirtual SCSI Controller? Two simple reasons and they are two good ones:

  • Lower CPU utilization
  • Higher Throughput

Personally, I have a third reason to add… compliance. All my virtual machines should be compliant with the VMware Best Practice and my personal Home Lab standard. In my Lab environment, this means using the VMware Paravirtual where ever possible/supported.

VMware Official Statement 1:

PVSCSI adapters are high-performance storage adapters that can result in greater throughput and lower CPU utilization. PVSCSI adapters are best for environments, especially SAN environments, where hardware or applications drive a very high amount of I/O throughput. The VMware PVSCSI adapter driver is also compatible with the Windows Storport storage driver. PVSCSI adapters are not suitable for DAS environments.VMware Paravirtual SCSI adapters are high-performance storage adapters that can result in greater throughput and lower CPU utilization.

VMware Official Statement 2:

The PVSCSI adapter offers a significant reduction in CPU utilization as well as potentially increased throughput compared to the default virtual storage adapters, and is thus the best choice for environments with very I/O-intensive guest applications.

Procedure

The most important step in the process is to make sure you have a valid backup! After that, it is just following the steps described below:

  • Create a virtual machine snapshot or backup before you begin.
  • Power-off the virtual machine.
  • Add the VMware Paravirtual Controller to the Virtual Machine. Do not change the disk controller assignment yet, only add the storage controller to the VM (screenshot 01).
  • Power-on the virtual machine.
  • Login with an account on the virtual machine (account must be able to obtain root access).
  • Start rebuilding the initial ramdisk image (screenshot 02):
    mkinitrd -f -v /boot/initramfs-$(uname -r).img $(uname -r)
  • Power-off the virtual machine.
  • Assign disks to the new storage controller and remove the old storage controller (screenshot 03).
  • Power-on the virtual machine.
  • Validate that everything is working and disks are mounted (screenshot 04).
  • Remove the virtual machine snapshot or backup after you are done.

Screenshots

Here are some screenshots from the procedure:

Conclusion

At this point, I have swapped out three virtual machines from the LSI controller to the VMware Paravirtual SCSI Controller. The machines have been running now for about two weeks without any problems. So everything is compliant again ;).

If you encounter any problems or have any questions about this subject please feel free to contact me on Twitter or the Reply option below.

Source

Here are some interesting related articles that I used for creating this blog post: