"Generating Self-Signed SSL Certificates for Use with Bluemix Custom Domains

This is a companion piece to my Bluemix UI: SSL Certificates and Custom Domains post. It’s intended for Bluemix users who wish to use self-signed SSL certificates with their custom domains for testing and development. This can be useful before moving to production with a wildcard certificate issued by a trusted third-party certificate authority.

I’ll discuss three different approaches using:

Once you’ve generated a self-signed certificate using one of these approaches (or by one of the many approaches found doing a Google search, please see my previously mentioned post to learn how to associate it with a Bluemix custom domain.

Online Self-Signed Certificate Generator

A really straightforward way to generate a self-signed certificate is the online Self-Signed Certificate Generator. All you have to do is enter a wildcard domain and hit the Generate button.

Entering Domain in Online Self-Signed Certificate Generator

The site then uses OpenSSL in the background to generate a certificate and private key. After the process completes, you will see two links: one allows you to download a cert file and the other a key file. Download the files, and then you can use the Bluemix UI to upload and associate them with your domain.

I did this myself for one of my domains. When I accessed the app in Chrome, it provided me with the certificate details shown below. As you can see, the generated certificate only has the Common Name field filled in. And, of course, Chrome doesn’t trust it.

Browser Info For Cert Generated by Online Self-Signed Certificate Generator

Using OpenSSL to Generate Self-Signed Certificate

If you want more control over the generated certificate, you can use the openssl command directly. It may already be installed on your system, but if not, you should be able to install it. The steps below are adapted from the first 4 steps of How to Create a Self-signed SSL Certificate by Akadia.com. That article gives additional background information and guidance that you may find useful.

  1. Generate a private key.
$ openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
........++++++
.................................................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:<br />Verifying - Enter pass phrase for server.key:
  1. Generate a CSR (Certificate Signing Request). For use with Bluemix, the most important thing to remember is to specify a wildcard domain for the Common Name field. I’ve highlighted the openssl prompt for that in the console output below.
$ openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated<br />into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
tate or Province Name (full name) [Some-State]:MN
Locality Name (eg, city) []:Rochester
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Tony's Bluemix Demos
Organizational Unit Name (eg, section) []:IT Dept.
Common Name (e.g. server FQDN or YOUR name) []:*.itdept.tonyerwin.com< <-- must be wildcarded
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
  1. Remove the passphrase from key.
$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org:
writing RSA key
  1. Generate a self-signed certificate.
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=US/ST=MN/L=Rochester/O=Tony's Bluemix Demos/OU=IT [email protected]
Getting Private key

At the end of this process, you’ll have two files: server.crt and server.key. Like before, these files can be uploaded via the Bluemix UI. The screenshot below shows the details as provided by Chrome when I access my app. The certificate is still untrusted, but you can see many more fields are populated with data.

Browser Info For Cert Generated by OpenSSL

If you want to go deeper with openssl, you can even generate your own intermediate certificates and use them to sign your main certificate. For example, see the article How to act as your own certificate authority (CA) by Jamie Nguyen.

Using Keychain Access on Mac to Be Your Own Certificate Authority

Depending on your platform, you may have graphical tools at your disposal to create and manage certificates. For example, on a Mac you can use Keychain Access. In the rest of this section, I’ll walk you through using Keychain Access on Mac OS X (Version 10.9.4) so you can act as your own certificate authority. You’ll first create a self-signed intermediate certificate which you’ll mark as trusted. You’ll then use this trusted intermediate certificate to issue a new certificate specific to your domain. Finally, you’ll export the files from Keychain Access and upload them to Bluemix. After that, you should see no SSL security warnings when accessing your web app from a browser on your local system.

Create Your Own Certificate Authority

First, follow the steps below to create a new certificate authority:

  1. Launch Keychain Access.
  2. Choose the Keychain Access -> Certificate Assistant -> Create a Certificate Authority… menu option.
  3. On the resulting dialog:
    • Fill in the Name field.
    • Ensure the Identity Type select box is set to Self Signed Root CA.
    • Leave User Certificate set to S/MIME Email or change to SSL Server.
    • Leave Let me override defaults unchecked.
    • Optionally uncheck Make this CA the default.
    • Specify a value for Email from.

Keychain Access: Create Certificate Authority

  1. Click the Create button.
  2. Close the dialog which says Conclusion and tells you creation was successful.
  3. Within the main Keychain Assistant window, find your new certificate and open it (either double-click on it or invoke the Get Info context menu item).
  4. On the resulting dialog, change the select box for When using this certificate to Always Trust.

Keychain Access: Trust New Certificate Authority

  1. Close the dialog. You will then be prompted for an administrator user name and password. After entering your credentials, click the Update Settings button.

You now have a self-signed certificate authority that is trusted by your local system.

Create Your Main Certificate

Next, you will create the main certificate for your domain. We will issue it using the trusted certificate authority you created in the previous section.

  1. In Keychain Access, choose the Keychain Access -> Certificate Assistant -> Create a Certificate… menu option to show the Create Certificate Wizard.
  2. On the first panel of the wizard:
    • Fill in the Name field.
    • Ensure the *Identity Type select box is set to Leaf.
    • Set the Certificate Type field to SSL Server.
    • Check the box next to the Let me override defaults option.

Keychain Access: Create New Certificate

  1. Click the Continue button.
  2. On the next panel, you can optionally adjust the Serial Number and Validity Period fields. Then, click the Continue button.
  3. You will then see a panel with a number of important attributes. Fill in all of the fields, but pay particular attention to the Name (Common Name) field. This field must be the wildcard version of the domain you wish to secure in Bluemix.

Keychain Access: Main Certificate Attributes

  1. Click the Continue button.
  2. You will then be given the option to choose the issuer for your new certificate. You will want to make sure to choose the certificate authority you created in the previous section.

Keychain Access: Choose Certificate Issuer

  1. Click the Continue button.
  2. On the next panel, you can leave the Key Size and Algorithm Fields alone. Then, click Continue.
  3. On the Key Usage Extension panel, you have a variety of options. The only item I enabled is the Signature field.

Keychain Access: Key Usage Extension

  1. Click the Continue button.
  2. On the Extended Key Usage Extension panel, check the box next to the SSL Server Authentication Option.

Keychain Access: Extended Key Usage Extension

  1. Click the Continue button.
  2. For the Basic Constraints Extension panel, you can leave the checkbox unchecked and then click the Continue button.
  3. For the Subject Alternate Name Extension panel, uncheck the box next to the Include Subject Alternate Name Extension field.

Keychain Access: Subject Alternate Name Extension

  1. Click the Continue button to arrive at the Specify a Location for the Certificate panel. You can leave the Keychain field set to login.

Keychain Access: Specify a Location for the Certificate

  1. Click the Create button and the Conclusion panel will be made visible. You should see a summary of the information for your new certificate.

Keychain Access: Create Certificate Conclusion

  1. Click Done.

Export Certificates

Now, you have created a certificate authority and used it to issue a new certificate. The next thing you need to do is export the files from Keychain Assistant so you can upload them to Bluemix:

  1. In the main Keychain Assistant window, find your main certificate. In the context menu, choose the Export option.

Keychain Access: Export Main Certificate

  1. You then get to choose the location for your exported certificate. You can choose whatever you want for filename (for example, server), but it’s very important you choose Certificate (.cer) for the File Format.

Keychain Access: Export Main Certificate File Choose

  1. Click the Save button.
  2. Now, find your private key in the Keychain Assistant window. You will need to expand you main certificate to see it. Right-click on it and choose the Export option.

Keychain Access: Export Private Key

  1. You will then see a dialog asking for a password to use to protect your file. Enter a password and confirm it (also be sure to remember it for later!), and click OK.
  2. Next you will be asked for an administrator password for your system. After entering your credentials, click Allow.
  3. You will then be asked for a location for the exported key. You can enter a file name (for example, server), and you’ll want to pick the same directory you chose for your exported certificate. For File Format, choose Personal Information Exchange (.p12). Click Save.
  4. Next, find your certificate authority in Keychain Assistant. Like you did for your main certificate, choose the Export option from the context menu.
  5. You will now see another file chooser. I entered ca for the filename, but you can choose whatever you like. However, be sure to pick Certificate (.cer) for File Format. Make sure you’ve chosen the same directory you used for exporting the first two files, and click Save.

Convert Your Private Key

You’ve exported the required files, and you’re almost done! But, there’s one more important step. Because Bluemix does not yet support p12 key files, you will need to use openssl to do a quick conversion. If you’ve gotten this far, it should be pretty straightforward because openssl is installed on your Mac. Go to the command line and change to the directory where you exported all of your files. Then, execute the command below (which came from a StackOverflow post). If you chose server.p12 for your key file name, then you can execute the command as is. Otherwise, you will need to enter your personal file name. When it asks for a password, use the same password you specified to protect the private key file when you exported it.

$ openssl pkcs12 -in server.p12 -nocerts -nodes | openssl rsa > server.key
Enter Import Password:
MAC verified OK
writing RSA key

Final Result with Keychain Assistant

At this point, you should have a .cer file for your main certificate, a .key file for your private key, and a .cer file for your intermediate certificate. You can now use the Bluemix UI to upload those files and secure your own domain. I did this myself. And, when I access my app using Chrome on my personal Mac, I see the identity is verified and there are no security warnings. However, this is because we told Keychain Access to trust our self-signed certificate authority. So, of course, if someone tries to access the app from another system they will still get a security warning.

Chrome Details Using Trusted Self-Signed Intermediat

Conclusion

Self-signed certificates should never be used for production apps, but you’ve seen they have value for testing and development. I presented steps for three different approaches to creating self-signed certificates appropriate for use with your Bluemix apps. These included online generation, manually executing openssl commands, and using the Mac’s Keychain Access app. In the last case, you also saw how a self-signed intermediate certificate can be marked as “trusted” to eliminate browser security warnings when running locally. After using any of these approaches, you can upload the resulting certificate and key files using the Bluemix UI to associate them with a custom domain. See my other post for full details on how to do that.

Redirecting HTTP to HTTPS with Node.js on IBM Bluemix

Colleague Jeff Sloyer points out in his recent blog post, Inbound SSL in Bluemix, that an app using the default domain for IBM Bluemix (which is mybluemix.net) gets SSL support automatically. This means without taking any other action, the app is accessible via https and traffic is secured by a fully trusted certificate provided by IBM. However, if not careful, your app will continue to be accessible via http, which completely bypasses SSL. In this post, I’ll show code for a simple approach (which differs from Sloyer’s) to make a Node.js app redirect http requests to https by leveraging parts of the Express web app framework. In addition, I’ll touch on issues with custom domains that occur when using the built-in, default SSL certificate.

Taking a Closer Look at Default Behavior

To show what happens “out-of-the-box”, I’ve created an app in the Bluemix UI using the SDK for Node.js™ starter. You can access it for yourself via the links below (using either http or https):

In either case, you’ll see a web page like the following:

Screenshot of Node.js Starter App

However, when you use https, notice that the browser shows a lock icon in the address bar. And, if you dig into the certificate details, you should see something like the following (which happens to be from Chrome):

Certificate info for mybluemix.net

This indicates that the certificate for *.mybluemix.net was issued by DigiCert and is trusted. You can rest assured the web site is coming from a server running on mybluemix.net, and the data is encrypted. On the other hand, if you use http there is no certificate info, and web traffic is unencrypted.

Redirecting HTTP to HTTPS

Where Will It Run?

While the Node.js app has been tested only on Bluemix, it should also run anywhere the app is sitting behind a reverse proxy. In particular, since Bluemix is a Platform-as-a-Service (PaaS) built on top of the Cloud Foundry open source framework, I'd expect the code to run without change in any other Cloud Foundry-based environment.

If we want to guarantee all of our traffic uses SSL, we need to ensure http requests are redirected to https. I’ve written a small Node.js application demonstrating how to do this when running on Bluemix. The code makes use of the Express framework, and this really simplifies the work. The key components of the solution are:

  • Enabling trust proxy to turn on reverse proxy support
  • Using req.secure to determine if http or https was requested
    • NOTE: req.secure provides a shortcut to doing a string compare against req.protocol. The req.protocol flag is set by Express based on the X-Forwarded-Proto request header.

The full code listing is shown below. And, a complete package that can be deployed to Bluemix (including instructions on how to do so) is available on GitHub.

You can access a live Bluemix deployment of the code with the URLs below (one using http and one using https):

In both cases, you should see a page like the one below (and using https):

Screenshot of HTTPS Redirect Demo

Alternative Approach: Inspect X-Forwarded-Proto

In my code, I enabled trust proxy and then left most of the work to the Express framework. A slightly lower-level, “long hand” approach is described by Sloyer in his previously mentioned post. His code example is illustrative as he manually inspects the X-Forwarded-Proto request header. This gives a sense of what’s going on behind the scenes, and is especially useful if not using Express.

What About Custom Domains?

To this point, I’ve only been talking about URL’s using the default mybluemix.net domain. The reason is that if you use a custom domain, things don’t come together quite as smoothly. You still technically get https for free, but the browser will complain about a domain mismatch after inspecting the certificate.

To allow you to easily see this for yourself, I’ve added a route to the https-redirect-demo app which uses the tonyerwin.com domain:

If you follow that link, the redirect from http to https still occurs. But, your browser is going to tell you that you can’t trust the identity of the site. For example, here’s what I see in Chrome:

Security Warning in Chrome With Custom Domain

Basically, the same certificate that was present for the *.mybluemix.net domain is still being served, but its domain info doesn’t match my tonyerwin.com custom domain. So, Chrome tells me I should probably stay clear and not continue.

Clearly, you wouldn’t want this kind message appearing for your production apps. The only way to solve this problem is to upload an SSL certificate which matches *.tonyerwin.com. You can learn all about using your own SSL certificates in my post called Bluemix UI: SSL Certificates and Custom Domains.

Conclusion

In this post, you saw how both http and https is enabled for Bluemix apps using the default mybluemix.net domain. Then, you saw how a few lines of code in a Node.js app allows you to redirect all http requests to https (which then ensures data shared between your app and the user’s browser is trusted and encrypted). Finally, you learned that more work is needed to avoid SSL certificate errors when using https with a custom domain. The additional work to upload your own SSL certificates will be the subject of a follow-up post in the near future.

Updated, Sept. 15, 2014 to include link to my new post entitled “Bluemix UI: SSL Certificates and Custom Domains.”

IBM Bluemix Banners

The Bluemix UI updates for August are now live in 85 countries! The team kept busy this month and put together a lot of awesome new features since our July refresh. We think you’ll enjoy these enhancements, which include:

  • Better Allowances for Runtime Usage
  • Cost Estimator — estimate costs for your apps and services based on configurations you specify
  • Redesigned App Details — featuring a cleaner look, brand new function, and responsiveness for mobile devices
  • SSL Certificates for Custom Domains — upload SSL certificates to secure your custom domains
  • Apple iOS Solutions Page — learn about the power of the Bluemix and iOS combo
  • Multimedia for Catalog Offerings — enhanced media (in the form of images and videos) for numerous items in the catalog
  • Java Cloudant Web Starter — get started quickly with Java and Cloudant NoSQL DB
  • Documentation Updates — navigation improvements and updated styling
  • Many bug fixes and usability improvements

Bluemix UI Updates: August 2014

IBM Bluemix Banners

About this time a week ago, I was in the middle of the opening night meet-and-greet at That Conference 2014 held at the Kalahari Resort in Wisconsin Dells, WI. While the “Dells” (as we in the region refer to it) is the self-proclaimed “Water Park Capital of the World”, That Conference is a major tech event with 1000+ software developers, designers, and IT professionals getting together to share information about happenings in mobile, web, and cloud. I was there to represent IBM (the Principal Sponsor of the conference) with the goal of sharing IBM Bluemix with a new group of developers.

For those readers who may not know, Bluemix is IBM’s new Platform-as-a-Service (PAAS) offering intended to facilitate rapid development of applications in the cloud. It offers more than 50 services to use in your apps and flexible, pay-as-you-go pricing (after a 30-day free trial).

Working the Bluemix Booth

IBM Bluemix: T-shirts

I drove over from MN and met up with colleagues Mark VanderWiele and Carl Osipov. We spent most of our time from Sunday night through Wednesday at the IBM booth talking Bluemix with attendees. There was regular traffic and we ended up running out of the very popular t-shirts we were handing out as SWAG. :)

The vast majority of visitors to the booth (like 99%) had never heard of Bluemix. This wasn’t terribly surprising since we just GA’ed at the end of June, so it offered us a great opportunity to spread the word. Folks who stayed at the booth long enough to see demos of the Bluemix UI and/or sample apps seemed to leave with a favorable impression. For example, I tweeted the following after Farah Prasla got her introduction to Bluemix:

Bluemix Break-out Sessions

IBM Bluemix: Carl Osipov Presenting

The team also held two Bluemix breakout sessions on Tuesday afternoon. These sessions were intended to take people through a deeper dive to see how easy it was to construct the sample apps shown at the booth:

Positive Feedback on Twitter

By the end of the week, we had accumulated a lot of positive feedback on Bluemix (even though most people started the week unaware of the platform). Below are some of my favorite tweets from conference participants showing the inroads we made in this community:

Picture Albums

What’s a conference summary without some pictures? From keynotes to pig roasts to “bacon bars,” below are links to some of my picture highlights over the four days of the conference:

Final Thoughts

In short, we had a great time last week at That Conference 2014. The conference was well-organized, and everyone was friendly and eager to talk about technology. The staff was awesome to work with and regularly checked in to see if we needed anything. So, thanks That Conference! :)

Most importantly, we were able to connect with a lot of people who had never heard of Bluemix. For those people, please let us know if you have any post-conference questions or other feedback. And, if you haven’t already, be sure to go out to Bluemix.net and sign-up for a free 30-day trial. Also, check out the Bluemix Dev-to-Dev Community and follow @IBMBluemix on Twitter.

IBM Bluemix and That Conference 2014

It’s been just one month since IBM Bluemix reached general availability, but we already have another round of Bluemix UI updates! The new features include enhancements to collaboration, catalog, solutions pages, and responsiveness. You’ll also notice updates to Bluemix Documentation with improved search, filtering, and mobile rendering. And, finally, there was a healthy dose of general bug squashing and usability tweaks.

Check out my write-up on the Bluemix Developers Community for the details.

Bluemix UI Updates: July 2014