Using Your Organization's CA process for TLS Certificates
This section details how to create TLS certificates using openssl.
Large organizations or government bodies, as examples, may have their own PKIs (public key infrastructure), each containing their own CAs.
For the case that your organization has its own certificate process, this section explains how to integrate Recovery Appliance certificates.
Prepare Information for the Certificates
-
On a Recovery Appliance as an
admin_userorroot, run this command.racli list sanCreated log /opt/oracle.RecoveryAppliance/log/racli_list_san.log Thu May 6 16:18:33 2021: Start: List SAN CN = zdlra09ingest-scan1.yourdomain.com DNS.1 = zdlra09adm01.yourdomain.com DNS.2 = zdlra09adm02.yourdomain.com DNS.3 = zdlra09ingest-scan1.yourdomain.com DNS.4 = zdlra09ingest01-vip.yourdomain.com DNS.5 = zdlra09ingest01.yourdomain.com DNS.6 = zdlra09ingest02-vip.yourdomain.com DNS.7 = zdlra09ingest02.yourdomain.com Thu May 6 16:18:39 2021: End: List SANThe
CN(Common Name) item from your host is<yourScanName>which later corresponds to certificate files.In this example,
<yourScanName>is "zdlra09ingest-scan1", the signed certificate file is<yourScanName>.p12, and the trusted certificate is<yourScanName>.pem. -
Use an editor to create a
CRTconfiguration file for your organization's certification/security process..In this example, it is named
<YOUR_CONFIG2>. In your environment, all of the constructs withYOUR_...oryourDirare replaced with specific information from the local instance. And the<YOUR_DNS>items are replace with information obtained in previous step usingracli list san.[req] default_bits = 2048 prompt = no default_md = sha256 req_extensions = v3_req distinguished_name = dn [ dn ] C=$args{YOUR_COUNTRY} ST=$args{YOUR_STATE} L=$args{YOUR_LOCATION} O=$args{YOUR_ORGANIZATION} OU=$args{YOUR_ORGANIZATION_UNIT} emailAddress=$args{YOUR_EMAIL_ADDRESS} CN = $list_san->{CN} [ v3_req ] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = \@alt_names [alt_names] DNS.1 = <YOUR_DNS.1> DNS.2 = <YOUR_DNS.2> -
Upload the
<YOUR_CONFIG2>.CRTfile to your organization's certification/security process.Note:
When your CA organization generates the bundle:- Choose the format
PEM (OpenSSL). - Check the option for
including CRT file, because<YOUR_CONFIG2>is needed.
- Choose the format
-
From your organization's certification/security process, download the whole package to a location designated as
<yourDir>. This example assumes it is named<yourDownload>.crt.The trusted certificate,
<yourDownload>.pem, is within that package and is used from this package in later steps to generate a signed certificate. -
On a Recovery Appliance as an
admin_userorroot, run this command to generate the key file. In this example, it isyourScanName.key.openssl genrsa --passout pass:<yourPassword> --out <yourDir>/<yourScanName>.key 2048 -
Get the certificate signed by the trusted certificate using the
pkcs12format.openssl pkcs12 --export --in <yourDir>/<yourDownload>.crt --inkey <yourDir>/<yourScanName>.key --certfile <yourDir>/<yourDownload>.pem --passin pass:<yourPassword> --passout pass:<yourPassword> --out <yourDir>/<yourScanName>.p12 -
Import the signed certificate into the TLS wallet.
racli add certificate --signed_cert=<yourDir>/<yourScanName>.p12 -
Import the trusted certificate into the TLS wallet.
racli add certificate --trust_cert=<yourDir>/<yourScanName>.pem -
After importing the certificates, verify with "
racli list certificate" that the certificates are in theraa_certsdatabase table.# racli list certificate Created log /opt/oracle.RecoveryAppliance/log/racli_list_certificate.20230329.1146.log Wed Mar 29 11:46:49 2023: Start: List Certificate Serial: 9A15CB4B76BBC52D Expire Time: 2024-03-28 Certificate Type: trusted_cert Serial: 95B9181340F644F0 Expire Time: 2024-03-28 Certificate Type: signed_cert Wed Mar 29 11:46:49 2023: End: List Certificate -
Continue with Configuring TLS Data Security on the Recovery Appliance followed by Configuring TLS Data Security on the Client.