If you used a non-default file path for your GitLab SSH key pair, you must configure your SSH client to find your GitLab private SSH key for connections to GitLab. Open a terminal and use the following commands (replacing otheridrsa with your private SSH key). If you don't already have an SSH key, you must generate a new SSH key.If you're unsure whether you already have an SSH key, check for existing keys. If you don't want to reenter your passphrase every time you use your SSH key, you can add your key to the SSH agent, which manages your SSH keys and remembers your passphrase. Sep 16, 2018 DO NOT use password protected certificate key (in case the lack of the switch -nodes for no DES), to remove the password from the key: openssl rsa -in certificatebefore.key -out certificateafter.key. Generate self-signed SAN SSL certificate Online docs for SSL certificate with SAN. I tested many methods found on the Internet, most of them don.
Gitlab-CE default installation goes with HTTPS disable. We need to generate a SSL certificate, and bind it to the HTTPS of Gitlab-CE.
Online docs for SSL certificate without SAN
Generate SSL certificate private key
Generate SSL certificate request
Without the switch -config
, the generation of csr request will ask you some information about company, email, and passphrasem etc. If you dont want OpenSSL to ask you that, you need to prepare a config file and specify it by -config [YourConfigPath]
, and config example can be found in the paragraph Prepare the OpenSSL config file.
Generate SSL certificate
OpenSSL has the option to generate the certificate in one line, this post splits it into 3 steps (the private key, the request file, and the certificate) in order to get a clear understanding of the certificate generation procedure.
Review the SSL certificate content
DO NOT use password protected certificate key (in case the lack of the switch -nodes for no DES), to remove the password from the key:openssl rsa -in certificate_before.key -out certificate_after.key
Online docs for SSL certificate with SAN
I tested many methods found on the Internet, most of them don’t work. Finally, I followed the doc maintained by Citrix. This should be a trusted one as Netscaler is a key product in Citrix, the doc is always updated with the latest version of OpenSSL.With time going by, the procedure might change, if below procedure doesn’t work, please go to check the Citrix online doc directly.
Prepare the OpenSSL config file
Prepare an OpenSSL config file. On Ubuntu 1804, an OpenSSL config example can be found at: /usr/lib/ssl/openssl.cnf
.Or You can find the path from the command: openssl version -a | grep OPENSSLDIR
. You might need to change the config according to your actual environment.
Be careful with the usage of the wildcard
in [alt_names], the above OpenSSL config is just an example to show what are the DNS names can be added to SAN.
Generate the SAN SSL certificate content
Create Rsa Key Gitlab
Pay attention to -extensions v3_req
in the end of the command, it’s the extension tag name in the gitlab.copdips.local.cnf
file. If you dont specify it, the output certificate won’t have the extension part, so no SAN neither.
DO NOT use password protected certificate key (in case the lack of the switch -nodes for no DES), to remove the password from the key:openssl rsa -in certificate_before.key -out certificate_after.key
Review the SAN SSL certificate
The default Signature Algorithm
has been already SHA256
. Some online docs tell to add the switch -sha256 when using openssl req, but it’s deprecated with the new version of OpenSSL. BTW, the RSA private key default bits
is 2048
. My OpenSSL version on Ubuntu 1804 is OpenSSL 1.1.0g 2 Nov 2017
Create the folder /etc/gitlab/ssl
with following two commands, and copy the SSL certificate and key here with the name of [fqdn].crt
and [fqnd].key
.
/srv/gitlab1083/ssl/
is the physical gitlab location on my Ubuntu server which is pointed to /etc/gitlab/ssl
its docker container.
Hereunder the content of uncommented lines in the Gitlab configuration file:
When you changed the configuration file, to take effect:
By openssl for both Linux and Windows
For Linux :
For Windows with OpenSSL installed:
Generate Ssh Keys For Gitlab
My OpenSSL is installed with GIT on Windows. GitForWindows installs also many other powerful Linux commands (grep, ssh, tail, and also vim, etc.) ported to Windows.
By certuil for Windows only
You should explicitly download the certificate at first, and then view the content locally, so this method is not cool.Hope Powershell team can get this done by one single cmdlet in the future Powershell releases.
Or a nice cmdlet Test-WebServerSSL
written by the MVP Vadims Podāns.
Here is the official doc.
When you changed the SSL certificate, gitlab-ctl reconfigure
won’t take it into effect as there’s nothing changed in the gitlab.rb configuration file. Use following command to update the certificate:
Generate Rsa Key For Gitlab Windows 10
This version of GitHub Enterprise will be discontinued on This version of GitHub Enterprise was discontinued on 2020-01-22. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise.For help with the upgrade, contact GitHub Enterprise support.
After you've checked for existing SSH keys, you can generate a new SSH key to use for authentication, then add it to the ssh-agent.
In this article
If you don't already have an SSH key, you must generate a new SSH key. If you're unsure whether you already have an SSH key, check for existing keys.
If you don't want to reenter your passphrase every time you use your SSH key, you can add your key to the SSH agent, which manages your SSH keys and remembers your passphrase.
Generating a new SSH key
Open TerminalTerminalGit Bash.
Paste the text below, substituting in your GitHub Enterprise email address.
This creates a new ssh key, using the provided email as a label.
When you're prompted to 'Enter a file in which to save the key,' press Enter. This accepts the default file location.
At the prompt, type a secure passphrase. For more information, see 'Working with SSH key passphrases'.
Adding your SSH key to the ssh-agent
Before adding a new SSH key to the ssh-agent to manage your keys, you should have checked for existing SSH keys and generated a new SSH key. When adding your SSH key to the agent, use the default macOS ssh-add
command, and not an application installed by macports, homebrew, or some other external source.
Start the ssh-agent in the background.
If you're using macOS Sierra 10.12.2 or later, you will need to modify your
~/.ssh/config
file to automatically load keys into the ssh-agent and store passphrases in your keychain.Add your SSH private key to the ssh-agent and store your passphrase in the keychain. If you created your key with a different name, or if you are adding an existing key that has a different name, replace id_rsa in the command with the name of your private key file.
Note: The
-K
option is Apple's standard version ofssh-add
, which stores the passphrase in your keychain for you when you add an ssh key to the ssh-agent.If you don't have Apple's standard version installed, you may receive an error. For more information on resolving this error, see 'Error: ssh-add: illegal option -- K.'
Add the SSH key to your GitHub account.
If you have GitHub Desktop installed, you can use it to clone repositories and not deal with SSH keys. It also comes with the Git Bash tool, which is the preferred way of running git
commands on Windows.
Ensure the ssh-agent is running:
- If you are using the Git Shell that's installed with GitHub Desktop, the ssh-agent should be running.
If you are using another terminal prompt, such as Git for Windows, you can use the 'Auto-launching the ssh-agent' instructions in 'Working with SSH key passphrases', or start it manually:
Add your SSH private key to the ssh-agent. If you created your key with a different name, or if you are adding an existing key that has a different name, replace id_rsa in the command with the name of your private key file.
Add the SSH key to your GitHub account.
Start the ssh-agent in the background.
Add your SSH private key to the ssh-agent. If you created your key with a different name, or if you are adding an existing key that has a different name, replace id_rsa in the command with the name of your private key file.
Add the SSH key to your GitHub account.
Further reading
- 'About SSH'
- 'Working with SSH key passphrases'