Creating Certificates and Keys for TLS Authentication

If you already have a server certificate that has been signed by a trusted third-party Certificate Authority (CA), then you do not need create a self-signed server and client certificate.

Ensure that OpenSSL is installed on the Linux instance to create the required certificates.

To create the certificates and keys:

1. On the Linux instance, run the following command to create a CA certificate and a private key for the certificate.

   openssl req -x509 -sha256 -newkey rsa:2048 -keyout iap-ca.key -out iap-ca.crt -days 356 -nodes -subj '/CN=IAP Certificate Authority'

   Note: If you already have a CA certificate and a private key, then you can skip this step.

2. On the Linux instance, create a server certificate and a private key that have been signed using the private key of the CA created in step 1.

   openssl req -new -newkey rsa:2048 -keyout iap-wildcard.key -out iap-wildcard.csr -nodes -subj '/CN=*.example.com'

   openssl x509 -req -sha256 -days 365 -in iap-wildcard.csr -CA iap-ca.crt -CAkey iap-ca.key -set_serial 04 -out iap-wildcard.crt

   Ensure that you specify a wildcard character as the subdomain name in the Common Name (CN) of the server certificate. This ensures that the same server certificate is valid for all the subdomains of the given domain name.

   For example, consider that you have separate hostnames for the production and staging environments, prod.example.com and staging.example.com. By specifying a wildcard character in the Common Name of the server certificate, you can use the same server certificate to authenticate prod.example.com and staging.example.com.

3. Copy all the certificates to a common directory.

   For example, create a directory named iap-certs and copy all the certificates that have been created to this directory.