Manual TLS Certificates

  • Canonical Telco
Channel Revision Published Runs on
latest/stable 108 04 Jul 2024
Ubuntu 22.04
latest/candidate 108 04 Jul 2024
Ubuntu 22.04
latest/beta 108 04 Jul 2024
Ubuntu 22.04
latest/edge 129 22 Oct 2024
Ubuntu 22.04
latest/edge 128 22 Oct 2024
Ubuntu 22.04
juju deploy manual-tls-certificates
Show information

Platform:

Ubuntu
22.04

Getting Started

In this tutorial, we will use the Manual TLS Certificates charm to provide certificates to a requiring charm using the TLS Certificates Requirer Operator as our TLS certificates requirer.

1. Install pre-requisites

Install MicroK8s:

sudo snap install microk8s

Enable the hostpath-storage MicroK8s add-on:

microk8s enable hostpath-storage

Install Juju:

sudo snap install juju

2. Bootstrap a Juju controller

Bootstrap a Juju controller:

juju bootstrap microk8s

Create a Juju model:

juju add-model demo

3. Deploy Manual TLS Certificates

juju deploy manual-tls-certificates

4. Deploy tls-certificates-requirer

juju deploy tls-certificates-requirer

5. Integrate the two charms

Integrate the charms with their tls-certificates interface:

juju integrate manual-tls-certificates tls-certificates-requirer

Wait for both charms to be in the active/idle status.

ubuntu@server:~$ juju status
Model  Controller          Cloud/Region        Version  SLA          Timestamp
dev    microk8s-localhost  microk8s/localhost  3.4.0    unsupported  15:31:05-05:00

App                        Version  Status  Scale  Charm                      Channel  Rev  Address         Exposed  Message
manual-tls-certificates             active      1  manual-tls-certificates               0  10.152.183.58   no       1 outstanding requests, use juju actions to provide certificates
tls-certificates-requirer           active      1  tls-certificates-requirer  edge      45  10.152.183.241  no       Certificate request is sent

Unit                          Workload  Agent  Address      Ports  Message
manual-tls-certificates/0*    active    idle   10.1.182.25         1 outstanding requests, use juju actions to provide certificates
tls-certificates-requirer/0*  active    idle   10.1.182.40         Certificate request is sent

6. Generate a CA key and certificate with OpenSSL

Create a certs directory

mkdir certs

Generate a Private Key

openssl genrsa -out certs/ca.key 2048

Generate a CA certificate

openssl req -new -x509 -days 3650 -key certs/ca.key -out certs/ca.crt -subj "/C=US/CN=pizza.com"

7. Retrieve the CSR

Retrieve the Certificate Signing Request (CSR) made by the TLS Certificates requirer and passed to the Manual TLS Certificates:

juju run manual-tls-certificates/leader get-outstanding-certificate-requests --format=json | yq '.manual-tls-certificates/0.results.result' | yq '.[0].csr' > certs/client.csr

8. Sign the certificate

Sign the certificate and provide it to Manual TLS Certificates:

openssl x509 -req -in certs/client.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial -out certs/client.crt -days 365 -sha256

Provide the certificate to Manual TLS Certificates:

juju run manual-tls-certificates/leader provide-certificate \
  certificate="$(base64 -w0 certs/client.crt)" \
  ca-certificate="$(base64 -w0 certs/ca.crt)" \
  certificate-signing-request="$(base64 -w0 certs/client.csr)"

9. Validate that the certificate was provided correctly

ubuntu@server:~$ juju run tls-certificates-requirer/leader get-certificate
Running operation 81 with 1 task
  - task 82 on unit-tls-certificates-requirer-0

Waiting for task 82...
ca-certificate: |-
  -----BEGIN CERTIFICATE-----
  MIIDIzCCAgugAwIBAgIUMdmiAJ3GwQSNFlyv6WV/+dfHLucwDQYJKoZIhvcNAQEL
  BQAwITELMAkGA1UEBhMCVVMxEjAQBgNVBAMMCXBpenphLmNvbTAeFw0yNDAyMjYy
  MDM3MDlaFw0zNDAyMjMyMDM3MDlaMCExCzAJBgNVBAYTAlVTMRIwEAYDVQQDDAlw
  aXp6YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQYdSsh37c
  t7Dtgbh1jd0Y6VZIlmt5/3lOGJ4vA123tTpf+ll99Dz8KS3E/H/T5WvC4N/n41+l
  ZET+SfNr+VcJ6GopjhD/nYjgQL3CuTsFfo40ZZGJXGG2HTZpK9rZ1r6mSK3lmwTj
  KtnAE0uwYIErNwJuIXj2d7AyhmqaBGfxU7VrPow3ZT12VxBDxjmIKxNnO1nFOdEX
  KoJ6ZyhH4yxZyT9zazqV9e06M1hfOThdXXTXEz5gxnR9IjpgCV8FUsNwBdULqrvi
  V2J6sr/WonuFdtHXHiMY3sb8PX2t9ZFDHHCpwX0/TWkqD35uZzPCUbMfm4Hgi8Rj
  STa+pggodl4tAgMBAAGjUzBRMB0GA1UdDgQWBBT0hOA9rop0hXmcp3YN7B3WJ/kF
  nDAfBgNVHSMEGDAWgBT0hOA9rop0hXmcp3YN7B3WJ/kFnDAPBgNVHRMBAf8EBTAD
  AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAugqNHcRftTth+KjLFjpuPRJu/6LR0A/ix
  Xh6ZZ1lmeddt7rESb0xxQJFd1VA7ySYDJBNFgoWbCBwqgGyBOL0DqtyZdj22EdBh
  XPGMQxDFnBnU1ZvjmWkmdKYhBOu9vUmcchrWn7xudya7/q3K76ScDnIwucdzCgwh
  CRZtAzh3wQRfsOMnbPbAQU7KNCH3bWANERGWoMgA/a3y1Yw4m+YTNxfpQNP1sRP5
  yQtT3Vgh/oj9JyO88fFpzLoVpq8rJxyzdwSCgoVg/w6zz4ckDXD/hE9rdaL9eAaK
  sbEgEBQMx3JYDJzgqdQRYAjxT3Us4bPjr9GC+63RFO/+IAD5it4G
  -----END CERTIFICATE-----
certificate: |-
  -----BEGIN CERTIFICATE-----
  MIIDATCCAekCFD49IljmLaHZuZyoP1UgRd62IU2NMA0GCSqGSIb3DQEBCwUAMCEx
  CzAJBgNVBAYTAlVTMRIwEAYDVQQDDAlwaXp6YS5jb20wHhcNMjQwMjI2MjEwMjQz
  WhcNMjUwMjI1MjEwMjQzWjBZMSgwJgYDVQQDDB90bHMtY2VydGlmaWNhdGVzLXJl
  cXVpcmVyLTAuZGV2MS0wKwYDVQQtDCRhNDk2ZWQxZS1mMTk3LTRmYTctYmMzNC1m
  MTlhNDYzNjM4ZmIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCr7e+m
  tgBCApKlMzumZ3you2nrtby45VWZpaDbdzxWl5HT9++xUBvS5CMXv5LrRa0hF/kK
  /Z3e7HSKD9VbCrLTGzannwAVhDjNEQzSXxKIBgk10zEylKvCkgmUvea15qSALYZm
  rISixRkSWeUTS2e348110XxfX2gGXa5n9vhBNhUcElT0Sf5/RpzJblEhD6qVMFVi
  6wx1tq7scwI2CY0DPGHMW8+XOrmuCArB/7AtosZRKFkq7psUriUMpyS56rslN+hU
  HKm2Ho/VJARPCtLq97QacS7u2i/zoUn3uzB9Xvk7CLVKETjf6pMlIGN+NabIGWMY
  Jf5Dx+2kDwgxduzVAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFu56JcROdmKFCqF
  xO1u9A6fTraKs3yovvSLIoqppmLMehEYgRw7yEe9IF+OgzUnIcd6CWJ12DDSW7WY
  AyJmxIEXPuxumjOvB9PrwSWInc6td3mrfitAVKpJOK4angOuaoQcR76jghAUP+mT
  Lcq9fXp4YGvCqH9hrTEnLoVeuN/ikl6yTjDt5CNnYegECpVG7vGG0/KITRkxJEHw
  vmWgGBcY7ny0tWNwyLUtyEUNdIKIiWQFecQJEEMY/WdB75CLS7xay4JOcpEvIxCe
  KDGc6aPHy9NWTS9/ofWcV0ysjA7HoaR62KK9v604x96YrFStPierbcxeIIsgWWXb
  rhjq+FU=
  -----END CERTIFICATE-----
csr: |-
  -----BEGIN CERTIFICATE REQUEST-----
  MIICnjCCAYYCAQAwWTEoMCYGA1UEAwwfdGxzLWNlcnRpZmljYXRlcy1yZXF1aXJl
  ci0wLmRldjEtMCsGA1UELQwkYTQ5NmVkMWUtZjE5Ny00ZmE3LWJjMzQtZjE5YTQ2
  MzYzOGZiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq+3vprYAQgKS
  pTM7pmd8qLtp67W8uOVVmaWg23c8VpeR0/fvsVAb0uQjF7+S60WtIRf5Cv2d3ux0
  ig/VWwqy0xs2p58AFYQ4zREM0l8SiAYJNdMxMpSrwpIJlL3mteakgC2GZqyEosUZ
  ElnlE0tnt+PNddF8X19oBl2uZ/b4QTYVHBJU9En+f0acyW5RIQ+qlTBVYusMdbau
  7HMCNgmNAzxhzFvPlzq5rggKwf+wLaLGUShZKu6bFK4lDKckueq7JTfoVBypth6P
  1SQETwrS6ve0GnEu7tov86FJ97swfV75Owi1ShE43+qTJSBjfjWmyBljGCX+Q8ft
  pA8IMXbs1QIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAJQaBeqpMRQgJWXhH4FI
  t5ByNPKyzQ1ttlRLKmRBgbwfCqfBxX6oAZkQXibGskbZpR/KVZC+jfJLwhkQxY+f
  eQmc2X40nzQk/2QrAywLcpk//yOp8NizrYV4Vc+gO2KI2H5+IYTbPlH1mbZWQFHH
  nvYfK553FDL7Mx3WL4iqQGisyYYN4aEBqMFJaCc/h/Ar6ZHH+Tgx4EoZ5luNG/hL
  DJkXeuKeopt6oNp2n8ROvcy+vTcMWBXemV+yJ0YUnLoreyiUUnX1BT/1Aa6jQ4za
  Dyyr9EZXDO99JPsT5fPETOSP50STQLritqrdO9TtSSSDhRLve7n5J5HNQQBW7VKw
  tXI=
  -----END CERTIFICATE REQUEST-----

Help improve this document in the forum (guidelines). Last updated 8 months ago.