Using Custom Certificate

To secure communication between TIBCO Control Plane and data plane, you can configure a custom certificate when registering a data plane. Custom certificates refer to certificates not issued by a well-known Certificate Authorities (CAs). They are either self-signed or issued by some custom CA. You have full control of what certificates to trust. In this case, data plane no longer trust any well-known certificates but rather only the ones configured to trust. The following steps provide an example of how to generate and use a custom certificate.

Before you begin
  • This example uses OpenSSL tool. You must have OpenSSL installed on your machine. Other tools can be used as long it produces a private key and its corresponding certificate chain for the TIBCO Control Plane and corresponding certificates to trust in the data plane.

Step 1: Edit the Host names in a Configuration File

Example cert.config:

[req]
prompt = no
distinguished_name = dn
req_extensions = ext
input_password = PASSPHRASE
 
[dn]
CN = *.example.com
O = MyOrg
L = AB
ST = CD
C = US
 
# This certificate is for wildcard hosts.
[ext]
subjectAltName = \
    DNS:*.local.example.com,\
    DNS:*.cp1-my.local.example.com,\
    DNS:*.cp1-tunnel.local.example.com

To secure multiple domains, subdomains or IP addresses in a single certificate, use subjectAltName in the configuration file. The subjectAltName extension contains those additional entries.

Step 2: Generate the Private Key

The following command generates a 2048-bit RSA private key, this creates a file self_sign_private_key.pem containing the private key.

openssl genrsa -out self_sign_private_key.pem 2048

Step 3: Create the Certificate Signing Request (CSR)

Generate a CSR using the configuration file. This creates a file certificate.csr containing the CSR.

openssl req -new -config cert.config -key self_sign_private_key.pem -out certificate.csr

Step 4: Generate the Self-Signed Certificate

Create a self-signed certificate. This creates a file self_signed_public.crt.pem containing the public certificate.

openssl x509 -req -in certificate.csr -signkey self_sign_private_key.pem -out self_signed_public.crt.pem -days 1095 -extensions ext -extfile cert.config

Step 5: Configure the Ingress Controller with the Private Key and Certificate

You must configure a custom certificate where SSL termination happens. It can be a load balancer (for example, AWS ALB) or Ingress controller (Nginx, Traefik) for TIBCO Control Plane. After self-signed certificates are generated, you can convert it to a base64 encoded format. You can use cat and tr commands to convert these files into base64 encoded strings.

cat self_sign_private_key.pem | base64 | tr -d '\n'
cat self_signed_public.crt.pem | base64 | tr -d '\n'

Use the output encoded strings in the TIBCO Platform Provisioner UI when installing TIBCO Control Plane.

When configuring TLS for your Ingress Controller, ensure that not only the leaf (end) certificate but also any intermediate certificates are specified when configuring Ingress Controller TLS.

  • The order of certificates in the file must be as follows: Start with the leaf certificate followed by intermediate certificates up to the root.

  • When testing the TLS functionality of the endpoints, use both a web browser and command-line tools like curl for testing. This ensures compatibility with various trust stores. Example curl command:

    curl -v https://hybrid-proxy.region.tibco.example.com

Step 6: Create a Kubernetes Secret

Run the following command to create a Kubernetes secret based on the TLS certificate that you have created. You can add more than one certificate by repeating the --from-file parameter.

kubectl create secret generic <secret_name> -n <namespace> --from-file=/path/to/your/certificate.pem

You must specify the secret name when registering a data plane.

Updating Custom Certificate

For more information about updating an existing certificate, see Updating a Custom Certificate .