How to create TLS certificates

For security reasons, all integrations are strongly advised to secure the communication by using TLS. This will ensure that all important data transmissions will be encrypted and will prevent potential data leaks and other vulnerabilities. Below are instructions on how to create a valid TLS certificate that is compatible with the Reconeyez system.

Subject name verification

RFC 2818, published in May 2000, deprecates the use of Common Name (CN) field in TLS certificates for subject name verification. Reconeyez integration module version 1.13 uses a TLS client that has finalized this deprecation. TLS certificates without the Subject Alternative Name (SAN) section cannot be used for verification purposes any longer.

Clients that already use TLS but are not using SANs need to update their certificates to conform with the new requirements. Most importantly, clients must add the external DNSs and/or IPs to the certificate’s Subject Alternative Names (SAN) field. 

Self-signed certificates

To create a self-signed TLS certificate with IP SANs you can for instance follow this guide: https://medium.com/@antelle/how-to-generate-a-self-signed-ssl-certificate-for-an-ip-address-f0dd8dddf754

Client needs to notify Reconeyez support when the certificate is created and applied to the server. This is because the certificate is self-signed and in order to be able to verify the issuer Reconeyez support needs to also add this certificate to the root CA pool on the corresponding Reconeyez server. Note that when this certificate expires and a new certificate is created, Reconeyez support needs to update it also in the server's root CA pool. 

Certificate chain

To avoid this the client could create their own root CA certificate and certificate chain (https://www.golinuxcloud.com/openssl-create-certificate-chain-linux/) which they then provide to Reconeyez support to add to our root CA pool. This would mean it has less maintenance burden for the future.