HTTPS with IP address or Azure KeyVault certificates as SSL for website
Hey folks!
I will continue with the same old story about deployment to the OnPremise environment. This time I want to tell you how we managed the favorite part of all teams — SSL certificates.
We have 2 cases:
- Our development/testing environment (DNS available)
- Closed(production) environment, DNSless— VPN
HTTPS with a domain name
In the case where we have the domain name, we just configured SSL certificate with certbot which is thousands of time described how to do it — https://certbot.eff.org/docs/using.html
HTTPS on IP address
The second case was much more interesting. How do we enable a secure connection in a private network?
What do we have:
- closed network (no access outside, so certbot can’t verify)
- no DNS (only IP address)
- Let’s Encrypt doesn’t issue certificates for IP addresses
To generate an SSL certificate for an IP address we decided to use Azure KeyVault.
Azure KeyVault — is secure storage for cryptographic keys and other secrets used by cloud apps and services.
So to have https://ip_address we will do next:
- Create Azure KeyVault
- Generate certificate
- Download certificate
- Use it on our Nginx configurations
Let’s dive.
Create Azure KeyVault
To create Azure KeyVault you can use this instruction — create KeyVault.
Generate certificate
To generate your certificate just follow the next steps:
Next step is to fill configurations:
In these configurations, there are a few important points to understand:
Other things are up to you, as they are not obligatory to make our https on IP works, so I won’t cover them here.
As soon as our certificate is created, we have to be sure that it’s enabled:
Download PEM and CERT
Next steps are easy:
- Download certificate
- Modify to use as SSL
- Integrate
- Tests
To download the certificate in Azure KeyVault, just open it and press Download in PFX/PEM format
Now when we have our PEM file, we need also CERT file to integrate it with NGINX. This step I find quite stupid, but it works.
We open PEM file and we copy this part:
-----BEGIN CERTIFICATE-----
MIIDpjCCAo6gAwIBAgIQ.........
.......................vy75E=
-----END CERTIFICATE-----
and we save it as a separate *.cert file.
Integrate certificate with NGINX
This is the easiest part, as we just have to include the proper path to our certificate files like you do when you use certbot:
ssl_certificate /etc/ssl/https/keyvault_priv.cert; ssl_certificate_key /etc/ssl/https/keyvault_priv_key.pem;
And all the magic works!
That’s all folks!
We implemented https://ip_addresss. Now we have our connection to the IP address secured by SSL certificate and all clients can use our website without worries.
Trusted certificate
As soon as you succeded to achieve https on IP, you Web-browsers will show you this message:
In Chrome it’s shown like this:
Which is normal, as a certificate which we generated was not validated by the Trusted Authority.
This can be fixed during the creation of the certificate, with paying to Trusted Authority:
Thanks for reading!
If you have other errors during securing your connection or you are interested in another topic, please add comments and upvote 👍. We‘re interested in the dialog.