Carlos Spitzer bio photo

Carlos Spitzer

Senior Consultant at Red Hat

Email Twitter Facebook Google+ LinkedIn Github

One of the features that OpenShift Online has is the chance to use your own SSL certificates for new application aliases. The main purpose to use your own self-signed certificates in your application aliases is to identify and provide who is the owner of the website. If you want to know more, please visit the following link: https://www.openshift.com/blogs/domain-names-and-ssl-in-the-openshift-web-console.

Creating the SSL certificate

Executing this command you will create two certificates:

  • The SSL certificate: cert.pem.
  • The private key certificate: key.pem.
$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 3650
Generating a 2048 bit RSA private key
............+++
..+++
writing new private key to 'key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:ES
State or Province Name (full name) [Some-State]:Your State
Locality Name (eg, city) []:Your Town
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Test Ltd.
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:your-site.example.com                                        
Email Address []:your@email.com

I used 3650 days (10 years) for certificate validity and random information for educational purposes. Use your own information and FQDN for your OpenShift Online application alias.


### Uploading the certificate Once you have generated your self-signed certificate, you must uploaded to your OpenShift Online application. You have two ways:

  • Using the OpenShift Online web UI
  • Using the command line tool rhc. If you use the web UI, go to your application, click on the alias which you want to upload the new certificates and the following dialog will appear:

Upload your certificates and press “Save“.

On the other hand, if you use the rhc command (the method I prefer to use), you must execute the following command:

$ rhc alias update-cert <app_name> -n <domain> <app_alias> --certificate cert.pem --private-key key.pem


### Check if the certificate works Execute the following command to check if the new SSL certificate has been uploaded and assigned successfuly:

$ rhc alias list <app_name> -n <domain>
Alias                   Has Certificate? Certificate Added
----------------------- ---------------- -----------------
aap_name                yes              2014-08-18

If you see the “Has Certificate?” colum with a ‘yes’ status, you have successfuly uploaded your SSL self-signed certificate.