18 Import HTTPS/SSL Certificate into VNFM
Note:
Diameter must be configured for running the traffic.18.1 Recombine Existing PEM Keys and Certificates into VNFM
If you have an existing private key and certificates for your server's domain in PEM format, combine them into a PKCS keystore, then convert the PKCS keystore into a Java keystore.
Execute the following command:
cat
<midfile.1.cert.pem> <midfile.2.cert.pem> >
intermediates.cert.pem
Where
<midfile.1.cert.pem>
and
<midfile.2.cert.pem>
are the names of intermediate certificate files.
Note:
If you have multiple intermediate certificates, combine them in any order.openssl pkcs12 -export -in <dsrVnfm.pem> -inkey <dsrVnfm.key> -certfile <intermediate.cert.pem> -passin pass:<existingpassword> -passout pass: xxxx -out vnfm_default.p12 -name "<yourDomainName>"
For example:
openssl pkcs12 -export -in dsrVnfm.pem -inkey dsrVnfm.key -passin pass: xxxx -passout pass:xxxx -out vnfm_default.p12 -name dsrvnfm
keytool -importkeystore -srckeystore vnfm_default.p12 -srcstorepass xxxx -srcstoretype PKCS12 -destkeystore vnfm_default.jks -deststorepass xxxx -alias dsrVnfm
For example:
keytool -importkeystore -srckeystore vnfm_default.p12 -srcstorepass xxxx -srcstoretype PKCS12 -destkeystore vnfm_default.jks -deststorepass xxxx -alias dsrVnfm
Note:
keytool is the java key and certificate management utility provided by Java. It exist injre/bin/keytool
.
<dsrVnfm.pem>
: The existing signed certificate file that matches your existing private key.<dsrVnfm.key>
: The existing private key file.<intermediate.cert.pem>
: The existing intermediate certificates that complete the chain from your certificate to a root CA.<yourDomainName>
: The complete domain name of your server.<existingpassword>
: The password that allows access to the existing key file.<yourpassword>
: The password that allows access to your new keystore. Provide at least six characters.destkeystore
file name should be same as mention in the command (vnfm_default.jks
).srcstorepass
is the password that is given in first command (-passout pass: xxxx
) and it should also be same as mention in the command (xxxx
)-
deststorepass
is the password that is used to open the certificate file (vnfm_default.jks
) and should also be same as mention in the command (xxxx
), because the same file name and password is used in Tomcat Apache to access the SSL certificate.
18.2 Copy Created Certificate (vnfm_default.jks) into VNFM
When the vnfm box is installed, a self-signed certificate is created by VNFM and is
placed in the /var/vnfm/certificate/vnfm_default.jks
directory by default. This
certificate is valid for 365 days.
The client must copy the created certificate with the same name as vnfm_default.jks
into the
/var/vnfm/certificate/
directory and override the existing
vnfm_default.jks certificate.
Note:
After making the certificate changes, client must restart the apache tomcat server to reflect the updated certificate in VNFM. To restart the apache tomcat server, see Reboot Tomcat.18.3 VNFM Self Signed Certificate Generation
- Create a
vnfmCert.conf
configuration file as shown in the example below (provide your own details in the respective fields):[ req ] default_bits = 2048 default_md = sha256 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = Country Name (2-letter code) stateOrProvinceName = State or Province Name (full name) localityName = Locality (e.g. city name) organizationName = Organization (e.g. company name) commonName = Common Name (your.domain.com) [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = *.localhost DNS.2 = 127.0.0.1 DNS.3 = *.oracle.com DNS.4 = *.oraclecorp.com
- Generate a key pair and a
signing request by executing:
openssl req -new -keyout dsrVnfm.key -out dsrVnfm.csr -newkey rsa:2048 -config vnfmCert.conf
It will request for password to create private key file.Note:
To skip passphrase in private key, add -nodes (read: "No DES encryption"
) parameter from the command.Check if CSR contains the SAN by executing:
openssl req -noout -text -in sslcert.csr | grep DNS
- Generating a self-signed
certificate:
To generate a temporary certificate, which is acceptable for 365 days, execute:
openssl x509 -req -days 365 -in dsrVnfm.csr -signkey dsrVnfm.key -sha256 -out dsrVnfm.crt -extfile ca.cnf -extensions req_ext
Enter pass phrase for
dsrVnfm.key: <type pass phrase of private key>
Check if CSR contains the SAN by executing:
openssl req -noout -text -in sslcert.csr | grep DNS
- Convert the CRT to PEM
format:
Use the openssl tool to convert the CRT to a PEM format that is readable by the reporter:
openssl x509 -in dsrVnfm.crt -out dsrVnfm.pem -outform PEM
- To convert the PEM-format
keys to Java KeyStores:
openssl pkcs12 -export -in dsrVnfm.pem -inkey dsrVnfm.key -passin pass:4srVN6M -passout pass:4srVN6M -out vnfm_default.p12 -name dsrvnfm
- Convert the vnfm_default.p12
to a Java keystore vnfm_default.jks, by executing:
keytool -importkeystore -srckeystore vnfm_default.p12 -srcstorepass 4srVN6M -srcstoretype PKCS12 -destkeystore vnfm_default.jks -deststorepass 4srVN6M -alias dsrVnfm
Note:
After importing certificate into java keystore, it is a good practice to check if the certificate information is correct or not. Keytool is the java jdk tool, which exists in jdk/bin.keytool -list -v -keystore [enter keystore name] -storepass [enter keystore password]
To delete existing alias from the keystore file, execute (optional):
keytool -delete -alias <aliasname> -keystore vnfm_default.jks
Note:
Thevnfm_default.jks
is the ssl certification file which is being used in VNFM https to establish the ssl connection.While importing certificate into java keystore, provide
-alias dsrVnfm
. If it prompts to override, type YES.Use the password "xxxx
".Note:
Certificate file name (vnfm_default.jks
) and alias name (dsrVnfm
) must be the same as mentioned above.