Manual TLS Certificates
- By Canonical Telco
| Channel | Revision | Published | Runs on |
|---|---|---|---|
| latest/stable | 78 | 07 Mar 2024 | |
| latest/candidate | 78 | 07 Mar 2024 | |
| latest/beta | 78 | 07 Mar 2024 | |
| latest/edge | 98 | 06 May 2024 |
juju deploy manual-tls-certificates --channel candidate
Deploy universal operators easily with Juju, the Universal Operator Lifecycle Manager.
Platform:
22.04
Getting Started
In this tutorial, we will use the Manual TLS Certificates charm to provide certificates to a requiring charm using the TLS Certificates Requirer Operator as our TLS certificates requirer.
1. Install pre-requisites
Install MicroK8s:
sudo snap install microk8s
Enable the hostpath-storage MicroK8s add-on:
microk8s enable hostpath-storage
Install Juju:
sudo snap install juju
2. Bootstrap a Juju controller
Bootstrap a Juju controller:
juju bootstrap microk8s
Create a Juju model:
juju add-model demo
3. Deploy Manual TLS Certificates
juju deploy manual-tls-certificates
4. Deploy tls-certificates-requirer
juju deploy tls-certificates-requirer
5. Integrate the two charms
Integrate the charms with their tls-certificates interface:
juju integrate manual-tls-certificates tls-certificates-requirer
Wait for both charms to be in the active/idle status.
ubuntu@server:~$ juju status
Model Controller Cloud/Region Version SLA Timestamp
dev microk8s-localhost microk8s/localhost 3.4.0 unsupported 15:31:05-05:00
App Version Status Scale Charm Channel Rev Address Exposed Message
manual-tls-certificates active 1 manual-tls-certificates 0 10.152.183.58 no 1 outstanding requests, use juju actions to provide certificates
tls-certificates-requirer active 1 tls-certificates-requirer edge 45 10.152.183.241 no Certificate request is sent
Unit Workload Agent Address Ports Message
manual-tls-certificates/0* active idle 10.1.182.25 1 outstanding requests, use juju actions to provide certificates
tls-certificates-requirer/0* active idle 10.1.182.40 Certificate request is sent
6. Generate a CA key and certificate with OpenSSL
Create a certs directory
mkdir certs
Generate a Private Key
openssl genrsa -out certs/ca.key 2048
Generate a CA certificate
openssl req -new -x509 -days 3650 -key certs/ca.key -out certs/ca.crt -subj "/C=US/CN=pizza.com"
7. Retrieve the CSR
Retrieve the Certificate Signing Request (CSR) made by the TLS Certificates requirer and passed to the Manual TLS Certificates:
juju run manual-tls-certificates/leader get-outstanding-certificate-requests --format=json | yq '.manual-tls-certificates/0.results.result' | yq '.[0].csr' > certs/client.csr
8. Sign the certificate
Sign the certificate and provide it to Manual TLS Certificates:
openssl x509 -req -in certs/client.csr -CA certs/ca.crt -CAkey certs/ca.key -CAcreateserial -out certs/client.crt -days 365 -sha256
Provide the certificate to Manual TLS Certificates:
juju run manual-tls-certificates/leader provide-certificate \
certificate="$(base64 -w0 certs/client.crt)" \
ca-certificate="$(base64 -w0 certs/ca.crt)" \
certificate-signing-request="$(base64 -w0 certs/client.csr)"
9. Validate that the certificate was provided correctly
ubuntu@server:~$ juju run tls-certificates-requirer/leader get-certificate
Running operation 81 with 1 task
- task 82 on unit-tls-certificates-requirer-0
Waiting for task 82...
ca-certificate: |-
-----BEGIN CERTIFICATE-----
MIIDIzCCAgugAwIBAgIUMdmiAJ3GwQSNFlyv6WV/+dfHLucwDQYJKoZIhvcNAQEL
BQAwITELMAkGA1UEBhMCVVMxEjAQBgNVBAMMCXBpenphLmNvbTAeFw0yNDAyMjYy
MDM3MDlaFw0zNDAyMjMyMDM3MDlaMCExCzAJBgNVBAYTAlVTMRIwEAYDVQQDDAlw
aXp6YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQYdSsh37c
t7Dtgbh1jd0Y6VZIlmt5/3lOGJ4vA123tTpf+ll99Dz8KS3E/H/T5WvC4N/n41+l
ZET+SfNr+VcJ6GopjhD/nYjgQL3CuTsFfo40ZZGJXGG2HTZpK9rZ1r6mSK3lmwTj
KtnAE0uwYIErNwJuIXj2d7AyhmqaBGfxU7VrPow3ZT12VxBDxjmIKxNnO1nFOdEX
KoJ6ZyhH4yxZyT9zazqV9e06M1hfOThdXXTXEz5gxnR9IjpgCV8FUsNwBdULqrvi
V2J6sr/WonuFdtHXHiMY3sb8PX2t9ZFDHHCpwX0/TWkqD35uZzPCUbMfm4Hgi8Rj
STa+pggodl4tAgMBAAGjUzBRMB0GA1UdDgQWBBT0hOA9rop0hXmcp3YN7B3WJ/kF
nDAfBgNVHSMEGDAWgBT0hOA9rop0hXmcp3YN7B3WJ/kFnDAPBgNVHRMBAf8EBTAD
AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAugqNHcRftTth+KjLFjpuPRJu/6LR0A/ix
Xh6ZZ1lmeddt7rESb0xxQJFd1VA7ySYDJBNFgoWbCBwqgGyBOL0DqtyZdj22EdBh
XPGMQxDFnBnU1ZvjmWkmdKYhBOu9vUmcchrWn7xudya7/q3K76ScDnIwucdzCgwh
CRZtAzh3wQRfsOMnbPbAQU7KNCH3bWANERGWoMgA/a3y1Yw4m+YTNxfpQNP1sRP5
yQtT3Vgh/oj9JyO88fFpzLoVpq8rJxyzdwSCgoVg/w6zz4ckDXD/hE9rdaL9eAaK
sbEgEBQMx3JYDJzgqdQRYAjxT3Us4bPjr9GC+63RFO/+IAD5it4G
-----END CERTIFICATE-----
certificate: |-
-----BEGIN CERTIFICATE-----
MIIDATCCAekCFD49IljmLaHZuZyoP1UgRd62IU2NMA0GCSqGSIb3DQEBCwUAMCEx
CzAJBgNVBAYTAlVTMRIwEAYDVQQDDAlwaXp6YS5jb20wHhcNMjQwMjI2MjEwMjQz
WhcNMjUwMjI1MjEwMjQzWjBZMSgwJgYDVQQDDB90bHMtY2VydGlmaWNhdGVzLXJl
cXVpcmVyLTAuZGV2MS0wKwYDVQQtDCRhNDk2ZWQxZS1mMTk3LTRmYTctYmMzNC1m
MTlhNDYzNjM4ZmIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCr7e+m
tgBCApKlMzumZ3you2nrtby45VWZpaDbdzxWl5HT9++xUBvS5CMXv5LrRa0hF/kK
/Z3e7HSKD9VbCrLTGzannwAVhDjNEQzSXxKIBgk10zEylKvCkgmUvea15qSALYZm
rISixRkSWeUTS2e348110XxfX2gGXa5n9vhBNhUcElT0Sf5/RpzJblEhD6qVMFVi
6wx1tq7scwI2CY0DPGHMW8+XOrmuCArB/7AtosZRKFkq7psUriUMpyS56rslN+hU
HKm2Ho/VJARPCtLq97QacS7u2i/zoUn3uzB9Xvk7CLVKETjf6pMlIGN+NabIGWMY
Jf5Dx+2kDwgxduzVAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAFu56JcROdmKFCqF
xO1u9A6fTraKs3yovvSLIoqppmLMehEYgRw7yEe9IF+OgzUnIcd6CWJ12DDSW7WY
AyJmxIEXPuxumjOvB9PrwSWInc6td3mrfitAVKpJOK4angOuaoQcR76jghAUP+mT
Lcq9fXp4YGvCqH9hrTEnLoVeuN/ikl6yTjDt5CNnYegECpVG7vGG0/KITRkxJEHw
vmWgGBcY7ny0tWNwyLUtyEUNdIKIiWQFecQJEEMY/WdB75CLS7xay4JOcpEvIxCe
KDGc6aPHy9NWTS9/ofWcV0ysjA7HoaR62KK9v604x96YrFStPierbcxeIIsgWWXb
rhjq+FU=
-----END CERTIFICATE-----
csr: |-
-----BEGIN CERTIFICATE REQUEST-----
MIICnjCCAYYCAQAwWTEoMCYGA1UEAwwfdGxzLWNlcnRpZmljYXRlcy1yZXF1aXJl
ci0wLmRldjEtMCsGA1UELQwkYTQ5NmVkMWUtZjE5Ny00ZmE3LWJjMzQtZjE5YTQ2
MzYzOGZiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq+3vprYAQgKS
pTM7pmd8qLtp67W8uOVVmaWg23c8VpeR0/fvsVAb0uQjF7+S60WtIRf5Cv2d3ux0
ig/VWwqy0xs2p58AFYQ4zREM0l8SiAYJNdMxMpSrwpIJlL3mteakgC2GZqyEosUZ
ElnlE0tnt+PNddF8X19oBl2uZ/b4QTYVHBJU9En+f0acyW5RIQ+qlTBVYusMdbau
7HMCNgmNAzxhzFvPlzq5rggKwf+wLaLGUShZKu6bFK4lDKckueq7JTfoVBypth6P
1SQETwrS6ve0GnEu7tov86FJ97swfV75Owi1ShE43+qTJSBjfjWmyBljGCX+Q8ft
pA8IMXbs1QIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAJQaBeqpMRQgJWXhH4FI
t5ByNPKyzQ1ttlRLKmRBgbwfCqfBxX6oAZkQXibGskbZpR/KVZC+jfJLwhkQxY+f
eQmc2X40nzQk/2QrAywLcpk//yOp8NizrYV4Vc+gO2KI2H5+IYTbPlH1mbZWQFHH
nvYfK553FDL7Mx3WL4iqQGisyYYN4aEBqMFJaCc/h/Ar6ZHH+Tgx4EoZ5luNG/hL
DJkXeuKeopt6oNp2n8ROvcy+vTcMWBXemV+yJ0YUnLoreyiUUnX1BT/1Aa6jQ4za
Dyyr9EZXDO99JPsT5fPETOSP50STQLritqrdO9TtSSSDhRLve7n5J5HNQQBW7VKw
tXI=
-----END CERTIFICATE REQUEST-----