5.6 Generating Self-Signed Certificate For IDIH

Perform the following procedure to generate self-signed certificates for IDIH:

1. Create an OpenSSL configuration file (ssl.conf) with the following content:

   
   [ req ]
   default_bits       = 4096
   distinguished_name = req_distinguished_name
   req_extensions     = req_ext
    
   [ req_distinguished_name ]
   countryName                 = Country Name (2 letter code)
   countryName_default         = IN
   stateOrProvinceName         = State or Province Name (full name)
   stateOrProvinceName_default = KN
   localityName                = Locality Name (eg, city)
   localityName_default        = BLR
   organizationName            = Organization Name (eg, company)
   organizationName_default    = ORACLE
   commonName                  = Common Name (e.g. server FQDN or YOUR name)
   commonName_max              = 64
   commonName_default          = localhost
    
   [ req_ext ]
   keyUsage = critical, digitalSignature, keyEncipherment
   extendedKeyUsage = serverAuth, clientAuth
   basicConstraints = critical, CA:FALSE
   subjectAltName = critical, @alt_names
    
   [ alt_names ]
   DNS.1=localhost
   DNS.2=.tekelec.com
   DNS.3=cnidih-portal
   DNS.4=usermanagement
   DNS.5=nfconfig-manager
   DNS.6=protraceprocessor
   DNS.7=ttrdecoder
   DNS.8=alarmmanagement
   DNS.9=api-gateway 
   DNS.10=idih.tekelec.com

   Key sections:

   • default_bits = 4096: Ensures strong RSA key generation.
   • req_extensions = req_ext: Applies certificate extensions during CSR creation.
   • keyUsage: Restricts certificate usage to digital signature and key encipherment.
   • extendedKeyUsage: Allows both server and client authentication.
   • basicConstraints = CA:FALSE: Ensures this certificate cannot act as a CA.
   • subjectAltName (SAN): Defines multiple DNS entries supported by the certificate.
2. Generate your own certificate authority, ensure that all the DNS names listed in the <ssl.conf> file are included in the certificate authority.
3. Run the following command to verify <CA Certificate>:

   openssl x509 -noout -text -in <ca.crt>

4. Run the following command to generate Server Private Key, this generates a 4096-bit RSA private key for the server.

   openssl genpkey -algorithm RSA -out <server.key> -pkeyopt rsa_keygen_bits:4096

5. Run the following command to generate Server CSR (Certificate Signing Request), this creates a CSR including the server's public key and identity information. The SAN (Subject Alternative Names) entries defined in the <ssl.conf> are included in this CSR:

   openssl req -new -key <server.key> -out <server.csr> -config <ssl.conf>

6. Run the following command to sign Server CSR with CA Certificate, this signs the CSR using the CA private key and applies extensions from <ssl.conf>:

   openssl x509 -req -in <server.csr> -CA <ca.crt> -CAkey <ca.key> -CAcreateserial -out <server.crt> -days 365000 -sha256 -extensions req_ext -extfile <ssl.conf>

7. Run the following command to create a PKCS12 Server Keystore, this creates ServerKeyStore.p12 including Server private key and Server certificate:

   openssl pkcs12 -export -inkey <server.key> -in <server.crt> -out serverKeyStore.p12 -password pass:<password>

8. Run the following command to verify Server Keystore:

   keytool -list -v -keystore serverKeyStore.p12 -storetype PKCS12

9. Run the following command to create Truststore and import CA Certificate, this creates trustStore.p12 including the CA certificate. Applications use Truststore to validate certificates signed by this CA.

   keytool -importcert -file <ca.crt> -alias idihcacert -keystore trustStore.p12 -storetype PKCS12 -storepass <password> -noprompt

10. Run the following command to verify Truststore:

    keytool -list -v -keystore trustStore.p12 -storetype PKCS12