2

I want to create a self signed certificate to be used in Google Loadbalancer, I have composed a following script to prepare it:

#!/bin/bash

FQDN=*.domain.net
SUBJ="/C=CZ/ST=Country/L=City/O=Authority/CN=$FQDN"
VALIDITY=3650

# make directories to work from
mkdir -p certs

# generate self signed root CA cert
openssl req -nodes -x509 -newkey rsa:2048 -keyout certs/ca.key -out certs/ca.crt -subj $SUBJ

# generate server cert to be signed
openssl req -nodes -newkey rsa:2048 -keyout certs/server.key -out certs/server.csr -subj $SUBJ

# sign the server cert
openssl x509 -req -in certs/server.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial -out certs/server.crt

# create server PEM file
cat certs/server.key certs/server.crt > certs/server.pem

# generate client cert to be signed
openssl req -nodes -newkey rsa:2048 -days $VALIDITY -keyout certs/client.key -out certs/client.csr -subj $SUBJ

# sign the client cert
openssl x509 -req -in certs/client.csr -CA certs/ca.crt -CAkey certs/ca.key -CAserial certs/ca.srl -out certs/client.crt

# create client PEM file
cat certs/client.key certs/client.crt > certs/client.pem

This works correctly and produces all certificates with no errors.

However, when I try to put these into google loadbalancer, it refuses to accept the generated certificates. I am putting:

  1. certs/client.crt to the "public key certificate" field
  2. certs/client.pem to the "Certificate chain" field
  3. certs/server.key to the "private key" field

enter image description here

Vojtěch
  • 11,312
  • 31
  • 103
  • 173

1 Answers1

4

You can use self-signed certificates for backend services. You cannot use self-signed certificates for frontend services.

Google Cloud HTTP Load Balancers only accept SSL certificates that are Domain Validated or higher.

Do not confuse Self Managed and Self Signed certificates.

Self-managed and Google-managed SSL certificates

The error message in your question means you are importing the wrong private key. You also have another error VALIDITY=3650. Public facing SSL certificates cannot be longer than 825 days (I think the practice is 398 days now), almost all vendors will not issue one longer than 365 days. For certificates valid longer than 365 days require even more details attached to the certificate.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • Hi, thanks for your answer. I am a bit confused. Is the process I am doing above "self-managed" or "self-signed" in this context? Or: is the process above correct for Google frontend services? "The error message in your question means you are importing the wrong private key." - I understand that, but I am not sure what is wrong with the process above - I updated the question with what I put where. – Vojtěch Jun 06 '21 at 18:44
  • @Vojtěch Your process is using "self signed" which is not supported. Even if you specify the correct private key, the certificate will be rejected. – John Hanley Jun 06 '21 at 18:45
  • A validity of 10 years _would_ be wrong but these certs don't have that: the shell var VALIDITY is not used for the CA cert or server cert at all, and for the client cert (which is completely unneeded and useless) it is used only on `req -newkey` where it is ignored, not on `x509 -req -CA*` where it would actually affect the cert. `openssl` defaults all these certs to 30 day validity, and the actual problems are other. – dave_thompson_085 Jun 06 '21 at 20:22
  • @dave_thompson_085 - How do your comments affect my answer regarding Google Cloud HTTP Load Balancer frontends accepting certificates? Openssl self-signed certificates cannot be used with Google Cloud frontends. I am happy to improve my answer for the benefit of future readers, let me know what should be improved. – John Hanley Jun 06 '21 at 20:30