Import HTTPS/SSL Certificate into VNFM

18.1 Recombine Existing PEM Keys and Certificates into VNFM

If you have an existing private key and certificates for your server's domain in PEM format, combine them into a PKCS keystore, then convert the PKCS keystore into a Java keystore.

Execute the following command:

cat <midfile.1.cert.pem> <midfile.2.cert.pem> > intermediates.cert.pem

Where <midfile.1.cert.pem> and <midfile.2.cert.pem> are the names of intermediate certificate files.

Note:

If you have multiple intermediate certificates, combine them in any order.

openssl pkcs12 -export -in <dsrVnfm.pem> -inkey <dsrVnfm.key> -certfile <intermediate.cert.pem> -passin pass:<existingpassword> -passout pass: xxxx -out vnfm_default.p12 -name "<yourDomainName>"
For example:

openssl pkcs12 -export -in dsrVnfm.pem -inkey dsrVnfm.key -passin pass: xxxx -passout pass:xxxx -out vnfm_default.p12 -name dsrvnfm

keytool -importkeystore -srckeystore vnfm_default.p12 -srcstorepass xxxx -srcstoretype PKCS12 -destkeystore vnfm_default.jks -deststorepass xxxx -alias dsrVnfm
For example:

keytool -importkeystore -srckeystore vnfm_default.p12 -srcstorepass xxxx -srcstoretype PKCS12 -destkeystore vnfm_default.jks -deststorepass xxxx -alias dsrVnfm

Note:

keytool is the java key and certificate management utility provided by Java. It exist in jre/bin/keytool.

Where,

<dsrVnfm.pem>: The existing signed certificate file that matches your existing private key.
<dsrVnfm.key>: The existing private key file.
<intermediate.cert.pem>: The existing intermediate certificates that complete the chain from your certificate to a root CA.
<yourDomainName>: The complete domain name of your server.
<existingpassword>: The password that allows access to the existing key file.
<yourpassword>: The password that allows access to your new keystore. Provide at least six characters.
destkeystore file name should be same as mention in the command ( vnfm_default.jks).
srcstorepass is the password that is given in first command (-passout pass: xxxx) and it should also be same as mention in the command (xxxx)
deststorepass is the password that is used to open the certificate file (vnfm_default.jks) and should also be same as mention in the command (xxxx), because the same file name and password is used in Tomcat Apache to access the SSL certificate.

18.2 Copy Created Certificate (vnfm_default.jks) into VNFM

When the vnfm box is installed, a self-signed certificate is created by VNFM and is placed in the /var/vnfm/certificate/vnfm_default.jks directory by default. This certificate is valid for 365 days.

The client must copy the created certificate with the same name as vnfm_default.jks into the /var/vnfm/certificate/ directory and override the existing vnfm_default.jks certificate.

Note:

After making the certificate changes, client must restart the apache tomcat server to reflect the updated certificate in VNFM. To restart the apache tomcat server, see Reboot Tomcat.

18.3 VNFM Self Signed Certificate Generation

Create a vnfmCert.conf configuration file as shown in the example below (provide your own details in the respective fields):

[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2-letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality (e.g. city name)
organizationName = Organization (e.g. company name)
commonName = Common Name (your.domain.com)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.localhost
DNS.2 = 127.0.0.1
DNS.3 = *.oracle.com
DNS.4 = *.oraclecorp.com

Generate a key pair and a signing request by executing:
openssl req -new -keyout dsrVnfm.key -out dsrVnfm.csr -newkey rsa:2048 -config vnfmCert.conf

It will request for password to create private key file.

Note:
To skip passphrase in private key, add -nodes ( read: "No DES encryption") parameter from the command.

Check if CSR contains the SAN by executing:

openssl req -noout -text -in sslcert.csr | grep DNS
Generating a self-signed certificate:
To generate a temporary certificate, which is acceptable for 365 days, execute:

openssl x509 -req -days 365 -in dsrVnfm.csr -signkey dsrVnfm.key -sha256 -out dsrVnfm.crt -extfile ca.cnf -extensions req_ext

Enter pass phrase for dsrVnfm.key: <type pass phrase of private key>

Check if CSR contains the SAN by executing:

openssl req -noout -text -in sslcert.csr | grep DNS
Convert the CRT to PEM format:
Use the openssl tool to convert the CRT to a PEM format that is readable by the reporter:

openssl x509 -in dsrVnfm.crt -out dsrVnfm.pem -outform PEM
To convert the PEM-format keys to Java KeyStores:
openssl pkcs12 -export -in dsrVnfm.pem -inkey dsrVnfm.key -passin pass:4srVN6M -passout pass:4srVN6M -out vnfm_default.p12 -name dsrvnfm
Convert the vnfm_default.p12 to a Java keystore vnfm_default.jks, by executing:
keytool -importkeystore -srckeystore vnfm_default.p12 -srcstorepass 4srVN6M -srcstoretype PKCS12 -destkeystore vnfm_default.jks -deststorepass 4srVN6M -alias dsrVnfm

Note:
After importing certificate into java keystore, it is a good practice to check if the certificate information is correct or not. Keytool is the java jdk tool, which exists in jdk/bin.

keytool -list -v -keystore [enter keystore name] -storepass [enter keystore password]

To delete existing alias from the keystore file, execute (optional):

keytool -delete -alias <aliasname> -keystore vnfm_default.jks

Note:
The vnfm_default.jks is the ssl certification file which is being used in VNFM https to establish the ssl connection.

While importing certificate into java keystore, provide -alias dsrVnfm. If it prompts to override, type YES.

Use the password " xxxx".

Note:
Certificate file name (vnfm_default.jks) and alias name (dsrVnfm) must be the same as mentioned above.