My Learning Path:

My journey to becoming Terraform Certified started with enrolling in the Udemy course "Terraform - Beginner to Advanced" by Zeal Vora. This comprehensive course provided me with a solid foundation in Terraform, covering everything from the basics to advanced topics like modules, workspaces, and state management. Zeal's clear explanations and hands-on examples were instrumental in my learning journey.

Key Topics Covered:

1. Introduction to Terraform and Infrastructure as Code (IaC)

2. Setting up Terraform Environment

3. Terraform Configuration Language (HCL)

4. Managing Resources with Terraform

5. Modules and Reusability

6. Workspaces and State Management

7. Best Practices and Advanced Topics

Hands-on Practice:

To reinforce my understanding and gain practical experience, I extensively worked on projects using Terraform. One invaluable resource that I leveraged was the Ministry of Justice's Modernisation Platform repository on GitHub. This repository contains real-world Terraform configurations used by the Ministry of Justice, providing hands-on experience with complex infrastructure setups and best practices.

Preparation for the Exam:

After completing the Udemy course and gaining hands-on experience, I felt confident to tackle the Terraform Certified Associate exam. However, I also invested time in reviewing the official Terraform documentation, especially the tutorials and Configuration Language documentation. Additionally, I practiced with sample exam questions and scenarios to familiarize myself with the exam format and content.

Exam Day:

On the eve of the exam, ensuring I had a good night's sleep was a priority. Waking up refreshed and with a clear mind, I approached the exam day with confidence. The exam itself was structured around multiple-choice questions, thoroughly probing a range of Terraform concepts, commands, and best practices

Conclusion:

Becoming Terraform Certified Associate has been a rewarding journey, and I'm grateful for the resources and support that helped me along the way. If you're aspiring to become Terraform Certified, I highly recommend Zeal Vora's Udemy course and hands-on practice with real-world projects like the Ministry of Justice's Modernisation Platform repository.

WHY?

Let’s begin with acronyms-

TLS — Transport Layer Security

SSL — Secure Socket Layer

When sending and receiving traffic through Internet (which basically is group of computers connected together) , any computer on the path could read what you are sending to the destination or receiving from it.

So, security experts developed an encryption protocol to send and receive sensitive data on the internet. That how SSL is born. It was developed at Netscape in 1990's.

Later on, SSL 3.1 version was later developed into TLS(Transport Layer Security) 1.0 with the name changed to indicate that it no longer associated to netscape. Because of this SSL and TLS terms are interchangeably used.

WHAT?

Q. What is a TLS certificate?

A TLS certificate is certificate is issued by the Certificate Authority(CA) to the person or business who owns a domain.

Q. What is a Certificate Authority?

Certificate Authority is a trusted entity responsible for issuing digital Certificates. Digital Certificates are used to verify the identity of individuals, servers, and other entities on internet.

There are several CAs like DigiCert, Lets Encrypt, GoDaddy, Amazon Trust Services, GlobalSign.

Q. How can anyone create a Certificate Authority?

The approval process to become a Certificate Authority involves various steps and entities, and depends on the industry and the CA itself. The general view is that it need to comply with guidelines of :

• Browser and Operating System Vendors

• Certification Authorities/Browser Forum (CA/B Forum)

• WebTrust Audits

• Cross-Signing by Existing CAs

• Compliance with Industry Standards

To view a SSL certificate for a domain , Simply type the domain in the chrome browser, and click on the tune icon (replaces the lock icon) in the address bar.

You can see all the certificate details by the following these steps:
Connection is secure → Certificate is Valid.

The Certificate usually contains the following Sections:

Q. What are types of SSL certificates and how are they classified?

There are two types:
1. Self-Signed Certificates
2. Trusted CA signed certificates

and are in turn classified based on the validation performed by CA while issuing certificate and the number of domains they secure.

Certificate based on validation level:

Certificates based on number of domains they secure:

• To learn more: type-of-ssl

HOW?

Q. How to generate a Self Signed TLS/SSL Certificate?

Below are the steps required to create self signed certificate

• Private Key Generation

• Certificate Signing Request Generation

• Self Signed Certificate Generation

• Certificate Verfification

For this purpose, we use an OpenSSL an open source tool tool for TLS/SSL protocols. If you don't have OpenSSL in your system, install using your system package manager.

# To  check if pre installed
openssl -v
# To install on mac
brew install openssl
# To install on Debian/Ubuntu
sudo apt-get update
sudo apt-get install openssl

1. Once you have OpenSSL installed, create a private key using the following command

openssl genpkey -algorithm RSA -out my_private_key.pem
# genpkey -> generate private key
# -algorithm -> algorithm to use for key generation. you can use stronger algorithms like Elliptic Curve Cryptography or others
# -out -> specifies the output file

1. Use the following command to generate a Certificate Signing Request(CSR)

openssl req -new -key my_private_key.pem -out my_new_csr.pem
# req -> specifies operation is related certificate requests(CSR)
# new -> indicates new csr being created
# key -> specifies your private key
# out -> specifies ouput file that contains the CSR

Once you run the command, you will be asked to fill the some details. I am attaching a sample screen shot of the values i entered when i ran the above command

1. Use the following command to generate Self Signed Certificate

openssl x509 -req -in my_new_csr.pem -signkey my_private_key.pem -out my_cert.pem

# x509 -> specifies that you are working with X.509 certificates, which are the standard format for public key certificates.
# -req -> indicates that you are working with a certificate signing request (CSR). The CSR is a request sent to a Certificate Authority (CA) to obtain a digital certificate.
# -in -> specifies input file for the command, which is your CSR containing all the entity values
# -signkey -> specifies the private key to sign the certificate
# -out -> specifies the output file which contains the certificate

1. Use the following command to verify the certificate

openssl x509 -text -noout -in my_cert.pem
# -text -> outputs the certificate in human readable format
# -noout -> tells openssl not to output encoded data
# -in -> input file for open ssl

Q. How to generate trusted CA signed certificates?

There are several sites that provide SSL Certificates such as DigiCert, GoDaddy, Sectigo, SSL.com. I am going to use Lets Encrypt which provides free SSL certificates. The steps are:

• Ensure You Have a Domain:

  • You need a registered domain for which you want to obtain an SSL certificate. Ensure that your domain is correctly configured and pointing to the server where your website is hosted.

• Access Your Server:

  • You need SSH access to your server. Log in using your preferred SSH client.

• Install Certbot:

  • Certbot is the recommended client for obtaining Let's Encrypt certificates.

    • For Ubuntu/Debian:

        sudo apt-get update
        sudo apt-get install certbot
      

• Obtain a Wildcard Certificate:

  • To obtain a wildcard certificate, you'll need to use the DNS-01 challenge method, which involves proving that you control the DNS records for your domain. Here is an example command:

      sudo certbot certonly --manual --preferred-challenges=dns -d *.yourdomain.com
    

    Replace yourdomain.com with your actual domain.

  • Certbot will provide instructions on how to create a DNS TXT record for your domain. Follow these instructions carefully. You will need to add the TXT record to your DNS configuration.

  • Verify DNS Configuration:

    • After adding the TXT record, wait for DNS propagation, and then press Enter to allow Certbot to verify the DNS configuration. Certbot will check if the TXT record is present before issuing the wildcard certificate.

  • Certificates and Key Locations:

    • Once the verification is successful, Certbot will generate the wildcard certificate and private key. The certificate files will be located in a directory like /etc/letsencrypt/live/yourdomain.com/. Note the paths to the cert.pem, privkey.pem, and fullchain.pem files.

  • Configure Your Web Server:

    • Update your web server configuration to use the newly obtained wildcard certificate. You may need to adjust the SSL configuration in your server settings.

  • Automate Renewal (Optional but Recommended):

    • Similar to a regular certificate, it's essential to set up automatic renewal for your wildcard certificate. Certbot typically configures this during installation, but you can verify it with the sudo certbot renew --dry-run command.

Credits: I am grateful for the knowledge gained from both aboutssl.org and ChatGPT. This blog is a testament to the collaborative learning environment fostered by these resources.