README.md 1.43 KB
Newer Older
1
## Generate a wildcard ssl certificate request for a subdomain, e.g, *.foobar.stanford.edu:
Xueshan Feng's avatar
Xueshan Feng committed
2
3
4

```
$ git clone git@code.stanford.edu:devops-tools/star-cert-request.git
Xueshan Feng's avatar
typo.    
Xueshan Feng committed
5
$ cd star-cert-request
6
$ ./create-star-cert-req.sh -s foobar -o "Your Organization Name" -e "your-contact-email@lists.stanford.edu"
Xueshan Feng's avatar
Xueshan Feng committed
7
8
```

9
The default top domain is *stanford.edu*, which you can change at the top of the script.
Xueshan Feng's avatar
Xueshan Feng committed
10

11
12
13
14
15
16
17
18
19
**Note:** the subdomain key and the csr will be saved in your current working directory. Make sure the files are protected.

The generated CSR has `CN=foobar.stanford.edu, X509v3 Subject Alternative Name: DNS:foobar.stanford.edu, DNS:*.foobar.stanford.edu`

To make sure everything looks good before you submit the request:

```
$ openssl req -noout -text -in foobar.stanford.edu.csr
```
Xueshan Feng's avatar
Xueshan Feng committed
20

21
22
Normally you can use [cert request form](https://tools.stanford.edu/cgi-bin/cert-request) to submit 
your request, however, if the subdomain is delegated to a cloud vendor, you will need to send the csr to 
23
24
**its-ssl-service@lists.stanford.edu** because the form cannot verify the ownership of a domain from NetDB.

25
## Upload cert to AWS IAM service
26

27
28
29
30
31
32
```
./upload_cert_to_aws.sh -s foo.stanford.edu -p foo.stanford.edu
```

If the SSL certificate already exists, the script will rename it and upload the new server server with the same server name.
If you use the cert in ELB, the ELB still uses the old certificate until you update the ELB cert to points to the new SSL cert.
33