Go to main content

Creating Package Repositories in Oracle® Solaris 11.4

Exit Print View

Updated: May 2020

Creating Client Certificates Used for Accessing the Repository

After you have generated the CA, you can generate client certificates.

Generating a Certificate Signing Request

To generate a client certificate, generate a Certificate Signing Request (CSR). The CSR contains all of the information that you need to pass securely to the server.

If you only want to check whether the client possesses a valid certificate issued by you, you do not need to encode any information. When the client presents its certificate to the server, the server validates the certificate against the CA, verifying whether that client certificate was generated by you. However, SSL requires a subject for the CSR. If you do not need to pass any other information to the server, you can just set the subject to the country where the certificate has been issued. For example, you could set the subject to C=US.

A good practice is to encode the user name of the client into the certificate to enable the server to identify the client. The user name is the name of the user to whom you are giving access to the repository. You can use the CN for this purpose. Specify a label for this CSR so that you can find and extract the key for the final certificate as described in Extracting the Certificate Key.

Use the following command to generate the CSR:

$ pktool gencsr subject="C=US,CN=username" label=label format=pem \

Use the following OpenSSL command to inspect the CSR in the file cert.csr:

$ openssl req -text -in cert.csr

Signing the CSR

The CSR must be signed by the CA to create a certificate. To sign the CSR, provide the following information:

  • Set the issuer of the certificate to the same string that you used for the subject when you created the CA using the gencert command, as shown in Creating a Certificate Authority for Client Certificates.

  • Set a hexadecimal serial number. In this example, the CA serial number was specified as 0x01, so the first client certificate should be given the serial number 0x02. Increment the serial number for each new client certificate that you generate.

    Each CA and its descendant client certificates has its own set of serial numbers. If you have multiple CAs configured in your keystore, be careful to set client certificate serial numbers correctly.

  • Set the signkey to the label of the CA in the keystore.

  • Set outcert to the name of the certificate file. A good practice is to name the certificate and key after the repository to be accessed.

Use the following command to sign the CSR:

$ pktool signcsr signkey=CAlabel csr=cert.csr  \
serial=0x02 outcert=reponame.crt.pem issuer="CN=name"

The certificate is created in the file reponame.crt.pem. Use the following OpenSSL command to inspect the certificate:

$ openssl x509 -text -in reponame.crt.pem

Extracting the Certificate Key

Extract the key for this certificate from the keystore. Set the label to the same label value you specified when you ran gencsr to generate the CSR in Generating a Certificate Signing Request. Use the following command to export the key from the keystore:

$ pktool export objtype=key label=label outformat=pem \

Transfer the certificate and key to the clients that need to access the SSL-protected repository.

Enabling Systems to Access the Protected Repository

To access the SSL-protected repository, clients must have a copy of the certificate and key and must specify the certificate and key in the publisher configuration.

Copy the certificate (reponame.crt.pem) and key (reponame.key.pem) to each client. For example, you could copy them to the /var/pkg/ssl directory on each client.

Use the following command to specify the generated certificate and key in your publisher configuration:

$ pkg set-publisher -k reponame.key.pem -c reponame.crt.pem \
-p https://repo-location

Note that SSL authentication is only supported for HTTPS repository URIs. SSL authentication is not supported for file repository URIs.