Generating a Self-Signed SAN Certificate to use Red Hat OpenShift in Nutanix Marketplace

Introduction

Suppose you have tried deploying the Red Hat OpenShift^® software using the new Nutanix^® Marketplace released with the Nutanix Prism Central™ (PC) 2023.1.0.1 release, and PC is using the default self-signed SSL certificate. In that case, you likely got an error message saying your PC SSL certificate didn’t seem valid. The marketplace uses the OpenShift Installer Provisioned Infrastructure (IPI) installation method. This method communicates with the PC API to create, update, and delete OpenShift clusters. It requires PC to have installed a valid SSL certificate signed by a public certificate authority (CA) or a well-formed self-signed certificate.

If you have a public domain, you can quickly overcome this issue using Let’s Encrypt™ certificate authority. Still, if this is not the case, then you’ll have to generate a self-signed certificate with a subject alternative name (SAN) that includes the PC IP address or the fully qualified domain name (FQDN). The recommended method is to include both the PC IP address and the FQDN.

The following code snippet based on the Nutanix AOS™ Security Guide is the easiest way to generate a 10-year valid self-signed certificate for PC and successfully deploy your OpenShift Kubernetes® clusters.

In this blog, we will be using the Nutanix Dev Station™ toolkit for this purpose. If this is your first time hearing about it, check out the article “Nutanix Dev Station: A containerized toolkit for managing Nutanix and Kubernetes”. Using the Nutanix Dev Station is optional, you just need a machine with OpenSSL version 1.1.1 or later.

Option 1: PC IP + FQDN (Recommended)

1. Open a terminal in the Nutanix Dev Station.
2. Set an environment variable called PC_IP with the PC IP address, and an environment variable called PC_FQDN with the PC FQDN.

export PC_IP=10.42.239.39
export PC_FQDN=pc.ntnxlab.local

3. Generate the self-signed certificate.

openssl req -x509 -nodes -days 3650 \
-newkey rsa:2048 -keyout ${PC_IP}.key -out ${PC_IP}.crt \
-subj "/C=US/ST=CA/L=San Jose/O=Nutanix Inc./OU=Manageability/CN=*.nutanix.local" \
-addext "subjectAltName=IP:${PC_IP},DNS:${PC_FQDN}"

4. Replace your PC certificate with the generated files (Importing an SSL Certificate)
   • Use the *.crt file for the Public Certificate and CA Certificate/Chain.
   • Use the *.key file for the Private Key.

Option 2: PC IP

1. Open a terminal in the Nutanix Dev Station.
2. Set an environment variable PC_IP with the PC IP address.

export PC_IP=10.42.239.39

3. Generate the self-signed certificate.

openssl req -x509 -nodes -days 3650 \
-newkey rsa:2048 -keyout ${PC_IP}.key -out ${PC_IP}.crt \
-subj "/C=US/ST=CA/L=San Jose/O=Nutanix Inc./OU=Manageability/CN=*.nutanix.local" \
-addext "subjectAltName=IP:${PC_IP}"

4. Replace your PC certificate with the generated files (Importing an SSL Certificate)
   • Use the *.crt file for the Public Certificate and CA Certificate/Chain.
   • Use the *.key file for the Private Key.

Option 3: PC FQDN

1. Open a terminal in the Nutanix Dev Station.
2. Set an environment variable PC_FQDN with the PC FQDN.

export PC_FQDN=pc.ntnxlab.local

3. Generate the self-signed certificate.

openssl req -x509 -nodes -days 3650 \
-newkey rsa:2048 -keyout ${PC_FQDN}.key -out ${PC_FQDN}.crt \
-subj "/C=US/ST=CA/L=San Jose/O=Nutanix Inc./OU=Manageability/CN=*.nutanix.local" \
-addext "subjectAltName=DNS:${PC_FQDN}"

4. Replace your PC certificate with the generated files (Importing an SSL Certificate)
   • Use the *.crt file for the Public Certificate and CA Certificate/Chain.
   • Use the *.key file for the Private Key.

Once the PC page reloads, you can proceed to the Nutanix Marketplace and test the deployment of an OpenShift cluster. Depending on what method you chose to generate the certificate, IP-based or FQDN-based, use the same way when setting the value for the Prism Central FQDN variable.

If this is the first time you deploy a Red Hat OpenShift cluster using the Nutanix Marketplace, we recommend you watch the following video: Red Hat OpenShift Nutanix Marketplace Installation | AHV Mission Control | Nutanix University

---

© 2023 Nutanix, Inc. All rights reserved. Nutanix, the Nutanix logo and all Nutanix product, feature and service names mentioned herein are registered trademarks or trademarks of Nutanix, Inc. in the United States and other countries. Other brand names mentioned herein are for identification purposes only and may be the trademarks of their respective holder(s). This post may contain links to external websites that are not part of Nutanix.com. Nutanix does not control these sites and disclaims all responsibility for the content or accuracy of any external site. Our decision to link to an external site should not be considered an endorsement of any content on such a site. Certain information contained in this post may relate to or be based on studies, publications, surveys and other data obtained from third-party sources and our own internal estimates and research. While we believe these third-party studies, publications, surveys and other data are reliable as of the date of this post, they have not independently verified, and we make no representation as to the adequacy, fairness, accuracy, or completeness of any information obtained from third-party sources.

This post may contain express and implied forward-looking statements, which are not historical facts and are instead based on our current expectations, estimates and beliefs. The accuracy of such statements involves risks and uncertainties and depends upon future events, including those that may be beyond our control, and actual results may differ materially and adversely from those anticipated or implied by such statements. Any forward-looking statements included herein speak only as of the date hereof and, except as required by law, we assume no obligation to update or otherwise revise any of such forward-looking statements to reflect subsequent events or circumstances.