mTLS Certificates Generation Guide
This guide walks you through generating self-signed TLS certificates for establishing secure mutual TLS (mTLS) authentication between the USP Server and USP Manager components.
For a deeper explanation of why and where TLS certificates are required, refer to Certificates.
Prerequisites
Before proceeding, ensure the following:
- OpenSSL is installed on a trusted system (e.g., your local workstation or a secure certificate host).
- You have shell access to the USP Server host to deploy its certificates.
- You have access to the USP Admin UI or REST API to upload certificates for the USP Manager.
- You know the hostnames and IP addresses for both the USP Server and the USP Manager.
- You understand the certificates flow.
This guide assumes a local Certificate Authority (CA) is used to sign the certificates.
How to Generate Self-Signed TLS Certificates
Summary
This certificate generation guide produces the following files, each used later by either the USP Server, the USP Manager, or both:
| Step | File | Description & Usage |
|---|---|---|
| 2 | usp-ca.crt | The Certificate Authority (CA) certificate. Shared by both USP Server and USP Manager to validate each other's certificates. |
| 3 | usp-server.key, usp-server.crt | The USP Server's private key and TLS certificate. Referenced in the USP Server's .hcl configuration file. |
| 4 | usp-manager.key, usp-manager.crt | The USP Manager's private key and TLS certificate. Uploaded into the USP Manager via the USP Admin UI or USP REST API. |
Step 1: Create a Certificate Directory
On the system where you will generate the certificates (or the USP Server host), create a working directory:
mkdir -p ./certificates
Step 2: Generate a Certificate Authority (CA)
Create a new CA certificate and private key:
openssl req -new -x509 -nodes -days 36500 \
-subj "/CN=UDMG USP CA" \ # CN can be any descriptive value
-keyout ./certificates/usp-ca.key \
-out ./certificates/usp-ca.crt
This CA will be used to sign both the USP Server and USP Manager certificates.
Step 3: Generate the USP Server Certificate and Key
3.1: Generate the private key
openssl genrsa -out ./certificates/usp-server.key 2048
3.2: Generate the Certificate Signing Request (CSR)
Replace CN value with the hostname of the USP Server:
openssl req -new -key ./certificates/usp-server.key \
-subj "/CN=usp-server.example.com" \ # Replace with the hostname of the USP Server
-out ./certificates/usp-server.csr
3.3: Create Subject Alternative Names (SAN) definition file for the certificate
Create a file named usp-server-cert.cnf with the following content (replacing both values with the hostname and IP address of the USP Server):
subjectAltName=DNS:usp-server.example.com,IP:172.1.1.1
3.4 Sign the certificate
openssl x509 -req \
-in ./certificates/usp-server.csr \
-CA ./certificates/usp-ca.crt \
-CAkey ./certificates/usp-ca.key \
-extfile usp-server-cert.cnf \
-CAcreateserial \
-days 365 \
-out ./certificates/usp-server.crt
3.5: Copy the files to the USP Server host
If necessary, copy the following files to the USP Server host:
./certificates/usp-server.crt./certificates/usp-server.key./certificates/usp-ca.crt
These will be referenced in the USP Server's .hcl configuration file.
Step 4: Generate the USP Manager Certificate and Key
These certificates are also generated via OpenSSL, but are not placed directly on the USP Manager host. Instead, they are added via the USP Admin UI or USP REST API.
4.1: Generate the private key
openssl genrsa -out ./certificates/usp-manager.key 2048
4.2: Generate the Certificate Signing Request (CSR)
Replace CN value with the hostname of the USP Manager:
openssl req -new -key ./certificates/usp-manager.key \
-subj "/CN=usp-manager.example.com" \ # Replace with the hostname of the USP Manager
-out ./certificates/usp-manager.csr
4.3: Sign the certificate
Sign the USP Manager CSR with the CA certificate:
openssl x509 -req \
-in ./certificates/usp-manager.csr \
-CA ./certificates/usp-ca.crt \
-CAkey ./certificates/usp-ca.key \
-CAcreateserial \
-days 365 \
-out ./certificates/usp-manager.crt
4.4: Add the certificates to the USP Manager
In the USP Admin UI (or via the USP REST API), upload the generated certificate files as follows:
- Add a TLS Certificate using:
./certificates/usp-manager.crt./certificates/usp-manager.key
- Add a CA Certificate using:
./certificates/usp-ca.crt
These certificates are later referenced when configuring a Proxy Server in USP Manager.
Step 5: Verify Certificates
You can verify that both certificates are signed by your CA with the following command:
openssl verify -verbose -CAfile ./certificates/usp-ca.crt ./certificates/usp-server.crt
openssl verify -verbose -CAfile ./certificates/usp-ca.crt ./certificates/usp-manager.crt
Expected output:
./certificates/usp-server.crt: OK
./certificates/usp-manager.crt: OK
Step 6 (Optional): Clean Up Intermediate Files
During the certificate generation process, some temporary files were created (*.csr, usp-server-cert.cnf, and *.srl). These files are only needed while generating and signing certificates and can be safely deleted afterwards to keep your working directory clean:
rm ./certificates/usp-server.csr ./certificates/usp-manager.csr ./usp-server-cert.cnf ./certificates/usp-ca.srl
Only remove these intermediate files. Do not delete the private keys (*.key) or certificates (*.crt), as they are required for USP Server and USP Manager operation.