SSL Renewal - bcgov/common-service-showcase GitHub Wiki
SSL Certificate Renewal
Steps to create or renew a SSL on Openshift
-
create service desk ticket with the Infrastructire/Middle-tier dept.: https://apps.nrs.gov.bc.ca/int/jira/servicedesk/customer/portal/1/create/941
-
Generate a Certificate Signing Request and Key using openssl cli on your workstation run the following command:
openssl req -new -newkey rsa:2048 -nodes -out bcbox.nrs.gov.bc.ca.csr -keyout bcbox.nrs.gov.bc.ca.key -subj "/C=CA/ST=British Columbia/L=Victoria/O=Government of the Province of British Columbia/OU=Ministry of Water Land and Resource Stewardship/CN=bcbox.nrs.gov.bc.ca"
This will create the
.csr
and.key
files in the current directory -
Attach the
.csr
file to the service desk ticket. -
Attach the iStore billing codes to the service desk ticket. There are six: Client / Responsibility / Service Line / Project / Expense Authority / TCA Account (Also called Financial Reporting account.) (This step may not be required if you are doing a renewal or if the infrastructure team have your details already)
-
Infrastructure will place an iStore order for the certificate and attach the required files to the the service desk ticket. Typically these are:
-
the original .csr file (which we don't need other than to check it matches our request)
-
3 text files:
- 'bcbox.nrs.gov.bc.ca.cert.txt'
- 'L1K for certs.txt'
- 'L1K root for certs.txt'(sometimes equivalently named 'G2Root.txt')
There may be just 2 attached files:
- 'bcbox.nrs.gov.bc.ca.cert.txt'
- 'L1K Chain.txt' (see below for install instructions)
-
-
install the new certificate:
Go to the route configuration in our openshift namespace. eg: https://console.apps.silver.devops.gov.bc.ca/k8s/ns/e7679d-prod/routes/bcbox-nrs-vanity
Edit the route and paste the contents of the files in the associated fields:
- Certificate: contents of file 'bcbox.nrs.gov.bc.ca.cert.txt'
- Key:contents of file 'bcbox.nrs.gov.bc.ca.key' (that you generated locally in step 2)
- CA certificate: contents of both files 'L1K for certs.txt' and 'L1K root for certs.txt' pasted one after the other in the same ca field. (If only 2 files were provided for the certificate, L1 Chain.txt is pasted here)
The site should work immediately after saving these OpenShift settings. A tool to verify is: https://www.ssllabs.com/ssltest/analyze.html?d=bcbox.nrs.gov.bc.ca