How to create custom self-signed certificates for ingress and apiserver for Openshift using openssl

Solution Verified - Updated 22 May 2025

Environment

Red Hat Openshift Container Platform 4.X

Issue

need to create self-signed certificate for Openshift ingress and apiserver
NOTE: this is not indeed an openshift solution. It's a generic solution to create self-signed certificates using openssl.

Resolution

set variables that will be used in the process:

BASE_DOMAIN="$(oc get dns.config/cluster -o 'jsonpath={.spec.baseDomain}')"
INGRESS_DOMAIN="$(oc get ingress.config/cluster -o 'jsonpath={.spec.domain}')"

create custom self signed CA certificate and key:

openssl genrsa -out example-ca.key 2048
openssl req -x509 -new -key example-ca.key -out example-ca.crt -days 1000 -subj "/C=US/ST=ST/L=Locality/O=ORG/CN=$BASE_DOMAIN"

create file req.conf with the following content:

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
[ req_distinguished_name ]
countryName                 = US
stateOrProvinceName         = ST
localityName               = Locality
organizationName           = Org
commonName                 = < value of $BASE_DOMAIN>
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = api.<value of $BASE_DOMAIN>
DNS.2   = *.<value of $INGRESS_DOMAIN>

create certificate key, certificate request and server certificate with subject alternative name including api and ingress domains:

openssl genrsa -out example.key 2048
openssl req -new -key example.key -out example.csr -subj "/C=US/ST=ST/L=Locality/O=Org/CN=$BASE_DOMAIN" -config req.conf
openssl x509 -req -in example.csr -CA example-ca.crt -CAkey example-ca.key -CAcreateserial -out example.crt -days 1000 -extfile req.conf -extensions req_ext

after the former step you will have the following files:

example-ca.key  ==> ca key
example-ca.crt   ==> ca certificate

example.crt  ==> api and ingress server certificate
example.key ==> server certificate key

with the former files you can replace the ingress certificate and apiserver by this custom one using this documentation:

This page is not included, but the link has been rewritten to point to the nearest parent document.Replace ingress certificate
This page is not included, but the link has been rewritten to point to the nearest parent document.Replace apiserver certificate

NOTE: As a rare case, in some environments, if the generated example.crt doesn't include X509v3 Subject Key Identifier and X509v3 Authority Key Identifier, it is necessary to modify the req.conf as follows and run the openssl x509 -req command again. Do make sure to modify the req.conf after running the openssl req -new command, otherwise the openssl req -new command will fail.

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
[ req_distinguished_name ]
countryName                 = US
stateOrProvinceName         = ST
localityName               = Locality
organizationName           = Org
commonName                 = < value of $BASE_DOMAIN>
[ req_ext ]
subjectAltName = @alt_names
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
[alt_names]
DNS.1   = api.<value of $BASE_DOMAIN>
DNS.2   = *.<value of $INGRESS_DOMAIN>

SBR

Shift Security

Product(s)

Red Hat OpenShift Container Platform

Components

Security

Category

Configure

Tags

certificates

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.