Re: At what stage is the self-signed certificate a...

mountaincode2 · 09-11-2024 05:51 AM

In the following section:

https://cloud.google.com/load-balancing/docs/https/setting-up-mtls-ccm#generate_a_certificate_and_ad...

This section uses openssl commands to create a sample certificate and add it to an allowlist.

Use the following commands to generate a certificate and add it to an allowlist.

   openssl req -x509 \
       -new -sha256 -newkey rsa:2048 -nodes \
       -days 3650 -subj '/CN=localhost' \
       -keyout allowlisted.key -out allowlisted.cert

So my question:

1. A self-signed certificate is created but where is it added to the allowlist. The information in the section does not speak to adding the self-signed certificate in the allowlist.

2. What is this allowlist in the context of this document?

What am i missing here.

Thank you!

mountaincode2

Update

1. So the self-signed certificate is allowlisted when creating a trust config resource.

2. But i still don't understand the significance of this allowlisted certificate. What does it mean?

Mohamed_rasvi

https://cloud.google.com/certificate-manager/docs/how-it-works

Optionally, if you need to use a certificate that has been self-signed, is expired, or is otherwise invalid, or if you don't have access to the root and intermediate certificates, you can add that certificate to the trust config in the allowlistedCertificates field. You don't need a trust store to add a certificate to an allowlist.

Adding a certificate to the allowlist means that the certificate is always considered valid as long as the certificate is parseable, proof of private key possession is established, and constraints on the SAN field of the certificate are met.

mountaincode2

ah okay, thanks for directing me to the link:

https://cloud.google.com/certificate-manager/docs/how-it-works#allowlisted-certs

At what stage is the self-signed certificate added to the allowlist?