Create External Trusted RootCA and Distribution Client Certificates

If you are using Certificates as the target authentication method in scenarios where two deployments need to connect the distribution and receiver paths to transfer trail data, then you will need to use an external RootCA certificate to validate a distribution client user using a distribution client (distclient) certificate. The distribution client certificate is stored on the target deployment and a distribution client user (operator role) is created on the source deployment. The validation type of this user is set to Certificate.

Note:

Distribution Path created using Certificates require target deployment to have an x-Cert user configured that has username same as Subject DN of Dist Path Certificate. See About Distribution Service Path.

Create a RootCA External Certificate in the Target Deployment

Use the following steps to create and manage the root CA external certificate (rootCA_ext) for a target deployment that is different from the source deployment.

Here is a sample rootCA_ext.cfg configuration file:

[ req ]
default_bits = 4096
default_md = sha512
prompt = no
encrypt_key = no
distinguished_name = req_distinguished_name
req_extensions = v3_req
x509_extensions = v3_ca
x509_extensions = usr_cert
[ req_distinguished_name ]
#countryName = "US"
#stateOrProvinceName = "CA"
#localityName = "Redwood City"
#streetAddress = "400 Oracle Pkwy"
#organizationName = "Oracle USA Inc"
#organizationalUnitName = "Security"
commonName = "rootCA_ext"
#emailAddress = "rootsecurity@oracle.com"
[ v3_req ]
basicConstraints=CA:TRUE
[ v3_ca ]
basicConstraints=CA:TRUE
[ usr_cert ]
basicConstraints=CA:TRUE
[ my_extensions ]

The command to generate the rootCA external certificate is:

openssl req -subj "/CN=RootCA_ext"      \
            -newkey rsa:2048 -nodes     \
            -keyout rootCA_ext_key.pem  \
            -new -x509                  \
            -days 365                   \
            -out rootCA_ext_cert.pem

Create a Distribution Client Certificate

The command to generate a client certificate is similar to the following:

extendedKeyUsage = clientAuth
openssl req -subj "/CN=distclient"    \
        -newkey rsa:2048 -nodes       \
        -keyout distclient_key.pem    \
        -new                          \
        -out distclient.csr

This distclient certificate is verified by the rootCA_ext certificate, using the following command:

openssl x509 -CAcreateserial          \
        -CA    rootCA_cert.pem        \
        -CAkey rootCA_key.pem         \
        -req                          \
        -in distclient.csr            \
        -extfile distclient_cert.cnf  \
        -days 365                     \
        -out distclient_cert.pem

The distclient certificate and the private key are generated. Both files are stored in the Privacy Exhanced Mail (PEM) and the private key is created in a Public-Key Cryptography Standards (PKCS) #12 format.