Skip to main content
Version: 0.35

Generate self-signed TLS certificates

This guide describes the steps to generate a self-signed certificate to use with Astronomer Software. You might want to complete this setup as part of installing Astronomer Software on AWS.

Self-signed certificates are ideal for privately hosted internal applications, as well as in development and testing environments. Avoid using self-signed certificates in installations where the trust and identity of the certificate issuer are important.



Run the following set of commands, and answer the questions when prompted.

  1. Run the following command to create a private key:

    openssl genrsa -aes256 -passout pass:gsahdg -out server.pass.key 4096
  2. Run the following command to make a password-less second key based on the first key you created:

    openssl rsa -passin pass:gsahdg -in server.pass.key -out server.key
  3. Run the following command to delete the first key:

    rm server.pass.key
  4. Run the following command to create a certificate signing request using the password-less private key. You will be asked to provide information to sign the certificate. Make sure the Common Name matches your DNS record, for example *

    openssl req -new -key server.key -out server.csr

    When openssl asks for a challenge password, press Enter to leave the password empty. Kubernetes does not natively support challenge passwords for certificates stored as Secrets.

  5. Run the following command to create the certificate from your private key and signing request:

    openssl x509 -req -sha256 -days 365 -in server.csr \
    -signkey server.key -out server.crt \
    -extfile <(printf "subjectAltName=DNS:*.astro.<your-basedomain>,DNS:astro.<your-basedomain>")

    Make sure the Subject Alternative Name matches the required domain and subdomains. To generate a wildcard certificate, both the base domain and the wildcard domain must be included. To generate a limited multi-domain certificate, add individual SAN entries for each subdomain.

The certificate file server.crt and private key file server.key can now be used in your Astronomer Software installation.

Inspect your self-signed certificate

Run the following command to inspect your self-signed certificate:

openssl x509 -in server.crt -text -noout

Confirm that the X509v3 Subject Alternative Name section of the certificate includes your Astronomer base domain (<your-basedomain>) as well as the wildcard domain (*.<your-basedomain>).

Was this page helpful?

Sign up for Developer Updates

Get a summary of new Astro features once a month.

You can unsubscribe at any time.
By proceeding you agree to our Privacy Policy, our Website Terms and to receive emails from Astronomer.