Generating a self-signed certificate using OpenSSL

OpenSSL is an open source implementation of the SSL and TLS protocols. It provides an encryption transport layer on top of the normal communications layer, allowing it to be intertwined with many network applications and services.

Before you begin

To complete the tasks described in this topic, you must have access to the TLS Profiles page of the Cloud Manager. For more information on which user roles have access, see Adding users and assigning roles.

About this task

The default TLS Profile in the Cloud Manager has a generic Common Name. When associating an SSL profile to a Gateway Cluster, if using the default TLS Profile, your application making API calls might fail to verify the host name it is connecting to against the certificate presented.

In this case, you can generate a new self-signed certificate that represents a Common Name your application can validate. This topic tells you how to generate self-signed SSL certificate requests using the OpenSSL toolkit to enable HTTPS connections.

Procedure

To generate a self-signed SSL certificate using the OpenSSL, complete the following steps:

  1. Write down the Common Name (CN) for your SSL Certificate. The CN is the fully qualified name for the system that uses the certificate. If you are using Dynamic DNS, your CN should have a wild-card, for example: *.api.com. Otherwise, use the hostname or IP address set in your Gateway Cluster (for example. 192.16.183.131 or dp1.acme.com).
  2. Run the following OpenSSL command to generate your private key and public certificate. Answer the questions and enter the Common Name when prompted. 
    openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
  3. Review the created certificate: 
    openssl x509 -text -noout -in certificate.pem
  4. Combine your key and certificate in a PKCS#12 (P12) bundle: 
     openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12
  5. Validate your P2 file. 
    openssl pkcs12 -in certificate.p12 -noout -info
  6. In the Cloud Manager, click TLS Profiles.
  7. Click Add, and enter values in the Display Name, Name, and optionally, Description fields.
  8. In the Present Certificate section, click the Upload Certificate icon Upload Certificate icon.
  9. Click Select File, browse for the certificate file that you want to present for authentication, and click Open.
    Note:
    • API Connect supports only the P12 (PKCS12) format file for the present certificate.
    • Your P12 file must contain the private key, the public certificate from the Certificate Authority, and all intermediate certificates used for signing.
    • Your P12 file can contain a maximum of 10 intermediate certificates.
  10. In the Password text field, enter the password for the certificate file.
    Note: The present certificate must be password protected.
  11. Click Upload.
    The certificate is populated.
  12. To validate the certificate, move the Request and validate the certificate against the supplied CAs in the truststore slider to the On position.
  13. In the Trust Store section, click the Upload Certificate icon Upload Certificate icon.
  14. Click Select File, browse for the certificate file that you want to present for authentication, and click Open.
  15. In the Password text field, enter the password for the certificate file.
  16. Click Upload.
    The certificate is populated.
  17. Expand the Protocols section to display the SSL and TLS versions.
  18. Use the check boxes to indicate the SSL or TLS version.
  19. Click Save.
  20. In the Cloud Manager, click Services.
  21. In the Gateway Services pane, click the Service Settings icon The Service Settings icon.
  22. In the TLS Profile field, select the required profile, then click Save Service.