Cloud Platform
Creating a self-signed SSL certificate
You may want to create a self-signed SSL certificate for a Cloud Platform application (glossary term, activate to view definition) in one of the following cases:
To create a self-signed SSL certificate, you will need both a root certificate and a site certificate.
To create a root certificate:
To ensure that you are in a writable directory (such as /mnt/tmp/), use a command similar to the following:
Cloud Platformopenssl genpkey -algorithm RSA -out ca.key.pem -pkeyopt rsa_keygen_bits:2048Next, enter a command similar to the following example to self-sign the certificate:
openssl req -new -x509 -key ca.key.pem -out ca.cert.pem -days 365 -sha256The following result (or something similar to it) will be displayed. Enter the values that are appropriate to your site, system, and location.
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Oregon
Locality Name (eg, city) []:Portland
Organization Name (eg, company) [Internet Widgits Pty Ltd]: My Name (Root CA)
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.mysite.com
Email Address []:[email protected]The root certificate is created in the same directory, with the name ca.cert.pem; its key is created with the name ca.key.pem.
Next, use the following procedure to create the site certificate.
Create the private key with the following command:
openssl genpkey -algorithm RSA -out site-key.pem -pkeyopt rsa_keygen_bits:2048Use the following command to generate the certificate signing request (CSR):
openssl req -new -key site-key.pem -out site-csr.csr -sha256You will be presented with similar text as when you created the root certificate. Use the same values as you did for the root certificate except for the Organization (glossary term, activate to view definition) Name*. For the , use a different value, such as
The site certificate CSR is created in the same directory, with the name site-csr.csr; the site certificate key is created with the name site-crt.pem, and its key is created with the name site-key.pem.
Next, install the root certificate and site certificate, as described in Installing an SSL certificate not based on an Acquia-generated CSR, and then complete the appropriate steps for your application:
A code change is required to route traffic to https to leverage your new SSL certificate. For more information, see Redirecting all HTTP traffic to HTTPS.
My Name (Site CA)The following questions will also be displayed:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Enter a command similar to this example this to sign the CSR with the root key and output in PEM format with the .pem extension:
openssl x509 -req -in site-csr.csr -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out site-crt.pem -days 365 -sha256If this content did not answer your questions, try searching or contacting our support team for further assistance.
My Name (Site CA)The following questions will also be displayed:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:Enter a command similar to this example this to sign the CSR with the root key and output in PEM format with the .pem extension:
openssl x509 -req -in site-csr.csr -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -out site-crt.pem -days 365 -sha256If this content did not answer your questions, try searching or contacting our support team for further assistance.