[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Origin 1.8: Encrypt termination using destinationCACertificate



It would be the CA public key certificate, that proves that the serving cert that your pods use is valid.  So whatever cert you use in the pods, use the ca.crt associated with that.

On Nov 25, 2015, at 2:57 AM, Den Cowboy <dencowboy hotmail com> wrote:

I have created an application with a route to it using OpenShift Origin. Now I want to make that route secure using TLS: I've already created routes with edge and passthrough. But now I want to create a route which is using Reencrypt.
Therefore I need to specify some certificates in my route:
apiVersion: v1
kind: Route
metadata:
  name: route-pt-secured
spec:
  host: www.example.com
 to: kind: Service name: service-name tls: termination: reencrypt 1 key: [as in edge termination] certificate: [as in edge termination] caCertificate: [as in edge termination] destinationCaCertificate: |- 2 -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE-----


I create my key and certificate in the following way:

# keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass supersecret -validity 360 -keysize 2048 -keystore /etc/origin/keys/s2i-key/privatekey.store

# keytool -importkeystore -srckeystore privatekey.store  -destkeystore keystore.p12 -srcstoretype jks -deststoretype pkcs12

#####Take a look to the certificate and private key from this file

# openssl pkcs12 -in keystore.p12 -nodes -password pass:supersecret



It's very similar to edge termination. But there I don't have to describe a destinationCACertificate. I create my own certificate and key using keytool and convertion to pk12 (see above). After that I can see my certificate and key (openssl pkcs12) and copy them into my route.
Now is my problem that I don't really know what a destinationCACertificate is? Do I have to create it in the same way as I'm creating my normal key/certificate or do I have to read/create it somewhere else?
_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]