This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Generating SSL Certificates and DNS Records

Owned by Former user (Deleted)
Last updated: Jul 25, 2019
3 min read

This tutorial describes how you can generate DNS records and SSL certificates to configure custom URLs for WSO2 API Cloud.

  1. Install an SSL key generation tool. In this tutorial we use OpenSSL as the tool.

  2. On the command-line, navigate to a preferred location in the server and execute the following command to generate a private SSL key with the name private.key.

    openssl genrsa -out private.key 2048

    Note that the key file is generated in the directory location that you are in.

  3. In the command-line, execute the following command to generate a certificate signing request file for your custom URL. Be sure to change the business address in this command to your own.

    openssl req -new -key private.key -sha256 -nodes -out request.csr -subj "/C=US/ST=California/L=Mountain View/O=WSO2/OU=IT/CN=developers.mytesturl.info"

    Note that the certificate signing request file is generated in the directory location that you are in.

    Go to a certificate vendor of your choice and use the certificate signing request file to obtain a certificate for your domain. Any certificate that is accepted by browsers work. We used https://www.comodo.com/ as the certificate authority in this tutorial.

    When you are done, you typically receive an email with the certificate for your domain along with the certificate authority's root and intermediate certificates. Some certificate authorities provide the root and intermediate files as a single chain file, some others provide multiple files, and some others provide none.  

    Tip: When receiving certificate files (private key and public key) from vendors, they may provide certificates of different file types (E.g., .crt, .cer, . p7b, .pem, . pfx). However, when uploading the public certificate in WSO2 API Cloud, the preferred formats are . crt, .cer  and .pem. Therefore, if you have a public certificate file of any other type(.p7b,.pfx), you need to convert them to the preferred file type.

    You can use the OpenSSL command to convert the certificate files as shown in the examples below. 


    Convert P7B to PEM: openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.pem
Convert PFX to PEM: openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes

  4. If you receive multiple root and intermediate files from your certificate authority, use the cat utility (available in Unix and Unix-based operating systems) to concatenate them into a single chain file (chain.crt). An example is given below.

    cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > chain.crt

    Tip : If you are using Microsoft Windows, follow the instructions below to concatenate the files.

    • Open all certificate files except your domain certificate in a text editor.

    • Create a new blank text file.

    • Copy the contents from all the files in the reverse order and paste them into the new text file. For example, copy intermediate 3, intermediate 2, intermediate 1, and then the root certificate.

    • Save the newly created file (say chain.crt).

    Note that the chain.crt file should have content in the following order: 

    -----BEGIN CERTIFICATE-----
(Your Intermediate certificate: COMODORSADomainValidationSecureServerCA.crt)
-----END CERTIFICATE----- 

-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: COMODORSAAddTrustCA.crt)
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
(Your Root certificate: AddTrustExternalCARoot.crt)
-----END CERTIFICATE-----

  5. Reserve a domain name with any domain registrar and create DNS CNAME records that map the domain to your API Store and Gateway URLs.

    Note

    Most domain registrars provide step-by-step instructions in their websites. For your convenience, we have listed the general steps below.

     Expand to see the listed steps
    • Sign in to the domain registrar’s site.
    • Navigate to your Domain Name Server (DNS) management page. The location and name of this page can vary by the host, but can generally be found under the Domain Management or Advanced Settings section.
    • Find the CNAME settings. Under the 'CNAME value or alias', enter the subdomain that you want to map each URL to. The subdomain of developers.mytesturl.info is developers.

    • Set the CNAME destination to the API Cloud's custom DNS endpoint, which is customdns.api.cloud.wso2.com. When configuring a custom URL for API gateway, if you select a region different from the default region (US East), be sure to set the CNAME destination according to the following table.

      RegionPointing URL
      US East

      customdns.api.cloud.wso2.com

      US West

      customdns-usw.api.cloud.wso2.com

      Sydney

      customdns-syd.api.cloud.wso2.com

      Brazil

      customdns-brz.api.cloud.wso2.com

      EU (Ireland)

      customdns-ire.api.cloud.wso2.com

      EU (Frankfurt)

      customdns-frk.api.cloud.wso2.com

      If you want to access your APIs from any other AWS region, contact the Cloud team via cloud@wso2.com.


    WSO2 API Cloud allows the use of self-signed certificates for educational purposes and internal usage, but we do not recommend the use of self-signed certificates in production environments.

    Now you have the SSL certificates and DNS records to configure required custom URLs for API Cloud.