How to setup a self-signed SSL certificate for a Cloud Foundry application on IBM Cloud

This blog post is about, how to setup a self-signed SSL certificate for an encrypted (https) communication with a Cloud Foundry application on IBM Cloud, if you are at a Hackathon. Keep in mind you don’t need to implement additional code inside of your Cloud Foundry application in this scenario. All is managed by IBM Cloud and you don’t need to modify your source-code. You need to have installed OpenSSL on your local machine and this example shows the setup on MacOS and Safari. You also need a Pay-As-You-Go or Trial-Account for the IBM Cloud to setup custom domain and ssl.

Motivation

In my example situation I want to access my Node-RED instance with a custom domain and a self-signed SSL certificate.

Normally you would create a certificate signing request to get public key certificate to encrypt the communication with https provided by a certificate authority for example “Let’s encrypt”, as you see simplified in the image below.

A certificate from a certificate authority can be costly, if you aren’t able to use a free certificate authority like for example “Let’s encrypt” supported by your domain provider. In my case the domain provider GoDaddy doesn’t support to request certificates directly from “Let’s encrypt”.

One easy solution to avoid additional costs is to create a self-signed certificate. This solution works well, if you only want to test and develop during a Hackathon and you have a very small count of users and you can give them the guidance to use the self-signed SSL certificate in their browser.
As you can see you need to upload self-signed SSL certificate in this simplified picture.

Overview of the needed steps

Here is an overview of the major needed steps:

  1. Create a custom domain and map it with the CNAME (this will result in the fully qualified domain name)
  2. Register the created custom domain in your Cloud Foundry org and region
  3. Create a route with your custom domain for your Cloud Foundry app
  4. Create a self-signed SSL certificate for custom domain
  5. Upload the self-signed certificate to IBM Cloud
  6. Invoke URL in a browser on a machine
  7. Copy the self-signed certificate from your browser to your computer
  8. Import the self-signed SSL certificate to the keychain of your operating-system on your local machine
  9. Restart the browser and see now your communication is encrypted

1. Create a custom domain and map it with the CNAME

Step 1: Get a your own domain from a domain provider

Ensure you are able to customize the CNAME record for your domain. In my case I used GoDaddy where it’s possible to configure the CNAME record. My fully qualified domain name in this case is: node-red.suedbroecker.com.

2. Register the domain in your Cloud Foundry org and region at IBM Cloud

IBM Cloud web-console and follow these three steps to register your custom fully qualified domain name:

In the image below you see the dialog to add the fully qualified domain name in my case: node-red.suedbroecker.com.

In the following picture you see the added custom fully qualified domain name and the missing SSL certificate.

You find additional details in one of my last blog posts How to setup a custom domain for a Node-RED instance on IBM Cloud, related to the custom domain configuration.

3. Create a self-signed certificate for the custom domain

Step 1: The Common Name (CN) for your SSL Certificate.

You should be aware that the Common Name (CN) of your self-signed SSL certificate is the fully qualified domain name. In this example it’s node-red.suedbroecker.com.

Step 2: Run the following OpenSSL command on your local computer to generate your key and public certificate and follow the steps.

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem

Example input you will be asked for:

Country Name (2 letter code) []:XXX
State or Province Name (full name) []:XXX
Locality Name (eg, city) []:XXX
Organization Name (eg, company) []:XXX
Organizational Unit Name (eg, section) []:XXX
Common Name (eg, fully qualified host name) []:node-red.suedbroecker.com            
Email Address []:XXX

Step 3: Review the created certificate

openssl x509 -text -noout -in certificate.pem

4. Define a route for your Cloud Foundry app in IBM Cloud

Select Actions/Edit routes in your Cloud Foundry app in the IBM Cloud web-console and add the fully qualified domain name, which you registered before for your Cloud Foundry org. Keep in mind in this situation, we don’t configure the host name, we just use fully qualified domain name in my case node-red.suedbroecker.com.

5. Upload self-signed SSL certificate

Step 1: Select upload.

Step 2: Ensure you use the newly created files.

Upload the needed self-signed certificate and key files to IBM Cloud. These are the names we used in the OpenSSL command before.

  • Certificate: certificate.pem
  • Key: key.pem

6. Invoke the URL in browsers on your machine and verify the certificate

You will notice, as you see the following images, that the Chrome and Safari browsers can’t our verify self-signed SSL certificate, because it doesn’t come from a certificate authority. If you ask your-self which certificate-authorities weere used by the browsers, maybe this link to StackExchange list of certificate authorities in browsers and mobile platforms will help.

  • Chrome
  • Safari
  • View certificate

6. Add the self signed certificate to your local machine

In the image shows the following three steps below:

  1. Copy the self-signed certificate from your browser to your computer
  2. Import the self-signed certificate to the key chain on your computer
  3. Configure to Always Trust

Restart the browser and see your communication is now encrypted, as shown in the two following images.

Note: Here a useful blog post: “You need to drag the certificate image onto your desktop and then open Keychain on the Mac. Once imported, double click on it, go to the trust section and under “When using this certificate” select “Always Trust”. You will then be asked for your credentials.”.

Summary

As you can see it’s easy to setup the self-signed SSL certificate for a Cloud Foundry app on IBM Cloud at a Hackathon. You only need to ensure that the CNAME value “node-red” in combination of your domain “suedbroecker.com” reflects your fully qualified domain name for the need self-signed SSL certificate Common Name (CN) in my case: node-red.suedbroecker.com. You need a Pay-As-You-Go or  Trial-Account for the IBM Cloud for that setup.


I hope this was useful for you and let’s see what’s next?

Greetings,

Thomas

#ibmcloud, #cname, #ssl, #self-signed, #certificate, #cloudfoundry, #hackathon, #security, godaddy

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.