Skip to content

Latest commit

 

History

History
76 lines (58 loc) · 2.74 KB

08-02-maintain-secure-connection-with-compass.md

File metadata and controls

76 lines (58 loc) · 2.74 KB
Raw

Maintain a secure connection with Compass

After you have established a secure connection with Compass, you can fetch the configuration details and renew the client certificate before it expires. To renew the client certificate, follow the steps in this tutorial.

Prerequisites

Steps

  1. Get the CSR information with the configuration details.

    To fetch the configuration, make a call to the Certificate-Secured Connector URL using the client certificate. The Certificate-Secured Connector URL is the certificateSecuredConnectorURL obtained when establishing a secure connection with Compass. Send this query with the call:

    query {
    result: configuration {
        certificateSigningRequestInfo { 
            subject 
            keyAlgorithm 
        }
        managementPlaneInfo { 
            directorURL 
        }
    }
}

    A successful call returns the requested configuration details.

  2. Generate a key and a Certificate Signing Request (CSR).

    Generate a CSR with this command using the certificate subject data obtained with the CSR information:

    export KEY_LENGTH=4096
openssl genrsa -out compass-app.key $KEY_LENGTH
openssl req -new -sha256 -out compass-app.csr -key compass-app.key -subj "{SUBJECT}"

    NOTE: The key length is configurable, however, 4096 is the recommended value.

  3. Sign the CSR and renew the client certificate.

    Encode the obtained CSR with base64:

    openssl base64 -in compass-app.csr

    Send the following GraphQL mutation with the encoded CSR to the Certificate-Secured Connector URL:

    mutation {
    result: signCertificateSigningRequest(csr: "{BASE64_ENCODED_CSR}") {
        certificateChain
        caCertificate
        clientCertificate
    }
}

    The response contains a renewed client certificate signed by the Kyma Certificate Authority (CA), certificate chain, and the CA certificate.

  4. Decode the certificate chain.

    The returned certificates and the certificate chain are base64-encoded and need to be decoded before use. To decode the certificate chain, run:

    base64 -d {CERTIFICATE_CHAIN}

NOTE: To learn how to revoke a client certificate, read this document.