Signing the certificate signing request
For each node, sign the certificate signing request. If you created your own root CA, follow the instructions below. Alternatively, send the certificate signing request to a well-known CA for signing.
Procedure
-
Sign each node certificate:
openssl x509 -req -CA 'path/to/rootca.crt' \ -CAkey 'path/to/rootca.key' \ -in signing_request.csr \ -out signing_request.crt_signed \ -days 3650 \ -CAcreateserial \ -passin pass:rootca_password \ -extfile san_config_file.conf- signing_request.csr
-
Certificate signing request (CSR) that is passed to the Certificate Authority (CA) to sign the certificate. The CSR typically includes the public key plus associated metadata such as the Common Name (CN), Organization (O), Organization Unit (OU), and Country (C).
signing_request.crt_signed The signed certificate file to create, using the certificate signing request (CSR) (
signing_request.csr) as the input file. - san_config_file.conf
-
If using the domain name as the <node_name> and the node IP address as a Subject Alternative Name (SAN), create a temporary configuration file and pass it in using the
-extfileoption. In the configuration file, use thesubjectAltNameparameter to specify the DNS and IP. For example:subjectAltName=DNS:<node_name>,IP:<node_ip_address>You can specify multiple SANs in the same configuration file:
subjectAltName=DNS:domain1,IP:10.200.100.52 subjectAltName=DNS:domain1,IP:10.200.101.63 subjectAltName=DNS:domain1,IP:10.200.111.74 subjectAltName=DNS:domain1,IP:10.200.121.85Use the
<rootca_password>entered when Creating the root CA signing certificate.A signed certificate file
signing_request.crt_signedis created.
-
Verify that the root certificate file was properly signed:
openssl verify -CAfile '<path/to/rootca.crt>' <signing_request.crt_signed><signing_request>.crt_signed: OK -
Delete the temporary configuration
<file san_config_file>.confto protect theSANfor a node.rm -f <san_config_file.conf>
