Obtain a Custom SSL Certificate and Private Key Using OpenSSLToolkit
This procedure is a simplified description on how to obtain a custom SSL Certificate using the
OpenSSL toolkit. Your requirement to use a temporary self-signed or a
certificate authority-signed certificate should be determined by your
site administrator or security officer. In the event you do need to
obtain a custom SSL certificate (temporary self-signed or certificate
authority-signed), you can follow these example OpenSSL command-line
instructions below.
Note - Oracle ILOM does not require you
to use OpenSSL to generate SSL certificates. OpenSSL is used in
this procedure for demonstration purposes only. Other tools are
available for generating SSL certificates.
Note - If further OpenSSL instructions are required to generate
the SSL certificate, you should consult the user documentation provided
with the OpenSSL toolkit.
- Create
a network share or local directory to store the certificate and
private key.
- To generate a new RSA private
key using the OpenSSL toolkit, type:
openssl genrsa -out <foo>.key 2048
Where <foo> equals the name
of the private key.
Note - This private key is a 2048 bit RSA key which is stored
in a PEM format so that it is readable as ASCII text.
- To generate a certificate signing
request (CSR) using the OpenSSL toolkit, type:
openssl req -new -key <foo>.key -out <foo>.csr
Where <foo> equals the name
of the certificate signing request.
Note - During the generation of the CSR, you will be prompted
for several pieces of information.
A <foo>.csr file
should now appear in your current working directory.
- To generate an SSL certificate,
perform one of the following:
- Generate a temporary self-signed certificate
(good for 365 days).
The self-signed SSL certificate is generated from the server.key private
key and server.csr files.
Using the OpenSSL toolkit, type:
openssl x509 -req -days 365 -in <foo>.csr
-signkey <foo>.key -out <foo>.cert
Where <foo> equals the name
assigned to the private key (.key) or certificate (.cert).
Note - This temporary certificate will generate an error in
the client browser to the effect that the signing certificate authority
is unknown and not trusted. If this error is unacceptable, you should
request the Certificate Authority to issue you a signed certificate.
- Obtain
an officially signed certificate from a certificate authority provider.
Submit your certificate signing request (<foo>.csr)
to an SSL certificate Authority provider. Most certificate authority
providers require you to cut and paste the CSR output in a web application
screen. It can typically take up to seven business days to receive
your signed certificate.
- Upload the new SSL certificate
and private key to Oracle ILOM.
See the following instructions, Upload a Custom SSL Certificate and Private Key to Oracle ILOM.