Erlang cluster on Kubernetes: Creating Certificate signing requests with OpenSSL

22 Dec 2022 09:58 openssl

Erlang TLS distribution is picky about how its certificates are created. OpenSSL is a pain to use. Here’s how to awkwardly wedge the two together. This took me several hours and a lot of my sanity. You’re welcome.

Private key

First, we need a private key. I’m going to use an EC key. cert-manager is picky about which curves it accepts, so stick with prime256v1.

openssl ecparam -name prime256v1 -genkey -noout -out "$CERTS_DIR/$CERT_FILENAME.key"

CERTS_DIR and CERT_FILENAME are passed in from the K8s deployment and point to the /certs volume that’s shared between the two containers.

Configuration file

You can create a certificate signing request without an OpenSSL config file, but if you want to specify any extensions, you’re going to need one. We do, so we do.

req_extensions = req_extensions
distinguished_name = req_distinguished_name


subjectAltName = @alt_names
extendedKeyUsage = serverAuth,clientAuth


We use a heredoc because we need to substitute ${MY_POD_IP} into one of the alternate names.

I guess we could have used a template file and sed (or envsubst).

Creating the signing request

openssl req -new \
            -key "$CERTS_DIR/$CERT_FILENAME.key" \
            -subj "/CN=${MY_POD_IP}" \
            -out "$CERTS_DIR/$CERT_FILENAME.csr" \
            -config "$CERTS_DIR/$CERT_FILENAME.cnf"

This generates a CSR file, e.g. /certs/tls-dist.csr. You can submit that to your certificate authority and you should get a signed certificate back.

As discussed in the introduction to this series, I’m going to use cert-manager. See the next post.