Create a self signed SSL Certificate for GCP use on Windows using OpenSSL
Note: open your command prompts and powershell as an “administrator”.
I am a Linux guy but keep my Windows for my iTunes and updating my BIOS and today I find myself using Windows to do a lot of work on my GCP and want to share with other still ardent Windows users the steps needed to install, setup and use openssl to generate a Self Signed Certificate for use on GCP.
Prerequisites:
- GCP SDK installed and activated
- Administrative access on Windows machine
Let us begin with the installation of OpenSSL on Windows. Download the file from this location (click on the “location” name here) and scroll down and select the 64bit version with “Win64” in the name. Run the windows installer and it would install to the “C:\OpenSSL-Wind64” location unless you change that.
Now that it installed let us make it available from any location when using the Windows command prompt. Open up your “control panel” and select system, then “Advanced System Settings”, then in the “System Properties” that appears select “Environmental Variables” at the bottom of the dialogue box.
We have “User variables” and “System variables” areas as seen in the dialogue box that appears, we will add it to the latter. Now go to the “System variables” section in the bottom of that dialogue box and “select” the “path” environment variable line as seen in the image below:
Click on “New” to add a new entry, and add the variable name and value as seen below:
Now click ok, close and reopen the command prompt or powershell and your now good to go creating the ssl certificate.
Now the above process is for manual installation but we could have also used and should use a third party automation tool that makes our lives easier. The “chocolatey” tool is an excellent choice. Let us install it via these commands:
From the “command prompt”:
@”%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe” -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command “iex ((New-Object System.Net.WebClient).DownloadString(‘https://chocolatey.org/install.ps1'))" && SET “PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin”
From the “powershell” (my favourite):
Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString(‘https://chocolatey.org/install.ps1'))
Any errors using these commands see here for help. Then let’s first search and then install using “chocolatey”. Search for “openssl” , choco search openssl and then install it using the command: choco install openssl and follow the command prompts
Now let us create the ssl certificate and upload it to GCP. Now launch your command prompt or powershell and create the key to use for signing the certificate with the following command:
openssl genrsa -des3 -out “C:\Users\egusi\gcp\udoyen-server.key” 2048
Please note that this “C:\Users\egusi\gcp\” is a place holder and should be changed to your preferred location, which could be “C:\Users\egusi\gcp”. Enter a “pass phrase” when asked for one (keep it simple, as this is only for development). Now we create a certificate signing request with the command:
openssl req -new -key “C:\Users\egusi\gcp\spikey-server.key” -out “C:\Users\egusi\gcp\spikey-server.csr”
Enter the pass phrase along with other information such as your: name, email, address, and location; when prompted for it and then we now we remove the pass phrase so we are not prompted for it when used on the server for validation:
- Make a copy of the old key with from your powershell:
Copy-Item C:\Users\egusi\gcp\spikey-server.key C:\Users\egusi\gcp\spikey-server.key.org
2. Remove the pass phrase using the openssl command and enter your pass phrase:
openssl rsa -in C:\Users\egusi\gcp\spikey-server.key.org -out C:\Users\egusi\gcp\spikey-server.key
Now we generate the certificate using the command:
openssl x509 -req -days 365 -in C:\Users\egusi\gcp\spikey-server.csr -signkey C:\Users\egusi\gcp\spikey-server.key -out C:\Users\egusi\gcp\spikey-server.crt
Now we create our GCP certificate using our local one and the key file with the command:
gcloud compute ssl-certificates create udoyen-server-cert — certificate=”C:\Users\egusi\gcp\spikey-server.crt” — private-key=”C:\Users\egusi\gcp\spikey-server.key”
Now we can use this certificate in creating an SSL Load balancer in GCP. Please leave a clap or two if your found this useful and helpful.
