SSL Renewal - bcgov/common-service-showcase GitHub Wiki

SSL Certificate Renewal

Steps to create or renew a SSL on Openshift

  1. create service desk ticket with the Infrastructire/Middle-tier dept.: https://apps.nrs.gov.bc.ca/int/jira/servicedesk/customer/portal/1/create/941

  2. Generate a Certificate Signing Request and Key using openssl cli on your workstation run the following command:

    openssl req -new -newkey rsa:2048 -nodes -out bcbox.nrs.gov.bc.ca.csr -keyout bcbox.nrs.gov.bc.ca.key -subj "/C=CA/ST=British Columbia/L=Victoria/O=Government of the Province of British Columbia/OU=Ministry of Water Land and Resource Stewardship/CN=bcbox.nrs.gov.bc.ca"

    This will create the .csr and .key files in the current directory

  3. Attach the .csr file to the service desk ticket.

  4. Attach the iStore billing codes to the service desk ticket. There are six: Client / Responsibility / Service Line / Project / Expense Authority / TCA Account (Also called Financial Reporting account.) (This step may not be required if you are doing a renewal or if the infrastructure team have your details already)

  5. Infrastructure will place an iStore order for the certificate and attach the required files to the the service desk ticket. Typically these are:

    • the original .csr file (which we don't need other than to check it matches our request)

    • 3 text files:

      • 'bcbox.nrs.gov.bc.ca.cert.txt'
      • 'L1K for certs.txt'
      • 'L1K root for certs.txt'(sometimes equivalently named 'G2Root.txt')

      There may be just 2 attached files:

      • 'bcbox.nrs.gov.bc.ca.cert.txt'
      • 'L1K Chain.txt' (see below for install instructions)
  6. install the new certificate:

    Go to the route configuration in our openshift namespace. eg: https://console.apps.silver.devops.gov.bc.ca/k8s/ns/e7679d-prod/routes/bcbox-nrs-vanity

    Edit the route and paste the contents of the files in the associated fields:

    • Certificate: contents of file 'bcbox.nrs.gov.bc.ca.cert.txt'
    • Key:contents of file 'bcbox.nrs.gov.bc.ca.key' (that you generated locally in step 2)
    • CA certificate: contents of both files 'L1K for certs.txt' and 'L1K root for certs.txt' pasted one after the other in the same ca field. (If only 2 files were provided for the certificate, L1 Chain.txt is pasted here)

    The site should work immediately after saving these OpenShift settings. A tool to verify is: https://www.ssllabs.com/ssltest/analyze.html?d=bcbox.nrs.gov.bc.ca