How do we recreate TLS certificates and configure them in Prisma Cloud Compute Console?
Objective
We have often encountered issues where TLS compute certificates cannot be configured due to failures in the process of generating/signing TLS certificates. Therefore, this article is intended to assist and provide clarification on the steps involved in generating certificates and how to configure them in the Compute UI. Please note that these certificates are self-signed CAs, which means they are not signed by a recognized authority. Consequently, they are not installed in browsers by default, which is why you may encounter a 'certificate not trusted' warning.
Environment
-
Prisma Cloud Self-Hosted
Procedure
- Firstly, in order to do all of these things, we need to have
opensslinstalled in our host.
Certificates to recreate:
-
console-cert.pem
- console-key.pem
Target directory: /var/lib/twistlock/custom-certificates
For the purpose of this instruction, prior to being transferred to the target directories, all the files will be created and stored in a different folder.
mkdir /var/lib/twistlock/certs-new cd /var/lib/twistlock/certs-new
- Prerequisites:
In order to sign the certificates, it is necessary to create the files used by the Certificate Authority:
- req_ca
- san.cnf
- extFile.ext
Please find the file contents in the following sections:
- req_ca (CA Requirements)
echo "[ req ] default_bits = 4096 default_md = sha256 distinguished_name = req_distinguished_name x509_extensions = req_ext prompt = no [ req_distinguished_name ] C=US ST=CA O=MyOrg, Inc. CN=rootCA [ req_ext ] basicConstraints = critical, CA:true" >req_ca
- Subject Alternative Name (san.cnf)
echo "[req] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext x509_extensions = x509_ext prompt = no [ x509_ext ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer [ req_distinguished_name ] C = US ST = CA O = MyOrg, Inc. CN = 10.180.29.195 [ req_ext ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] IP.1 = 10.180.29.195 IP.2 = 127.0.0.1" >san.cnf
- extFile.ext
echo "[req] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] IP.1 = 10.180.29.195 IP.2 = 127.0.0.1"> extFile.ext
- Creation of Certificate Authority
- Creating a self-signed CA:
Generate private key for CA certificate
openssl genrsa -out MyCA-key.pem
Create self-signed CA certificate using the key above
openssl req -x509 -new -nodes -key MyCA-key.pem -sha256 -days 1825 -out MyCA-cert.pem -config req_ca
Now we have our own CA certificate with which we will sign other certificate requests
Remember
MyCA-key.pem Is just the CA private key
MyCA-cert.pem is the self-signed CA certificate using MyCA-key.pem as private key
- User certificate encryption
Private key for user certificate encryption
openssl genrsa -out user-key.pem 2048
Create a certificate request
openssl req -new -config san.cnf -key user-key.pem -out user-request.pem
Now we have our own certificate request signed by our own private key for user certificate encryption
- Signing the user certificate by the CA Authority
- Sign the user certificate request with the CA created (MyCA-cert.pem) using its private key created (MyCA-key.pem)
- Private key for user certificate encryption
openssl x509 -req -in user-request.pem -CA MyCA-cert.pem -CAkey MyCA-key.pem -CAcreateserial -days 1825 -sha256 -extfile extFile.ext -extensions req -outform PEM -out user-cert.pem
- Creation of all needed certificates for Custom Certificates
- HTTP console certificates:
- Create HTTPS Private Key (MyCA-key-https.pem)
openssl genrsa -out MyCA-key-https.pem
- Create and HTTPS self-signed CA certificate (MyCA-cert-https.pem) using the key above
openssl req -x509 -new -nodes -key MyCA-key-https.pem -sha256 -days 1 -out MyCA-cert-https.pem -config req_ca
- Create a console private key (console-key.pem)
openssl genrsa -out console-key.pem 2048
- Create a console certificate (console-cert.pem) using the private key above
openssl req -new -config san.cnf -key console-key.pem -out user-request.pem
openssl x509 -req -in user-request.pem -CA MyCA-cert-https.pem -CAkey MyCA-key-https.pem -CAcreateserial -days
1 -sha256 -extfile extFile.ext -extensions req -outform PEM -out console-cert.pem
chmod 777 console-key.pem
- Twistlock Console Configuration for Custom Certificates
- Create a folder custom-certificates:
mkdir /var/lib/twistlock/custom-certificates
- Copy or move the certificates created to the "custom-certificates" directory:
pwd ls -la cp * /var/lib/twistlock/custom-certificates/ ls -la /var/lib/twistlock/custom-certificates/
- Restart the docker console:
docker ps docker restart twistlock_console docker ps
- Check docker console certificates
- Access the docker console and check that indeed there is a folder with custom certificates:
docker ps docker exec -ti <docker_console_container_id> bash ls -la /var/lib/twistlock/ ls -la /var/lib/twistlock/custom-certificates
- Checking Custom Certificate in Console
Go to Manage > Logs > Console, search for Custom certificates, and search certificates
Additional Information
Reference documentation: