1. Network Slice Selection Function (NSSF) Cloud Native Installation Guide
  2. Installing NSSF
  3. NSSF Pre-deployment Configuration
  4. Create Private Keys and Certificates for Ingress Gateway and Egress Gateway

Create Private Keys and Certificates for Ingress Gateway and Egress Gateway

This section describes how to create private keys and certificates in NSSF.

Creating Private Key and Certificates to enable https

To create private keys and certificates:

  1. Generate RSA private key by executing the following command:
    openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout rsa_private_key -out rsa_certificate.crt
  2. Convert private key to .pem format by executing the following command:
    openssl rsa -in rsa_private_key -outform PEM -out rsa_private_key_pkcs1.pem
  3. Generate certificate using the private key by executing the following command:
    openssl req -new -key rsa_private_key -out ocegress.csr -config ssl.conf

    Note:

    The ssl.conf can be used to configure default entries along with storage area network (SAN) details for your certificate.
    A sample of the ssl.conf is provided below:
    #ssl.conf
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
 
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = IN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Karnataka
localityName = Locality Name (eg, city)
localityName_default = Bangalore
organizationName = Organization Name (eg, company)
organizationName_default = Oracle
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = localhost
 
[ req_ext ]
subjectAltName = @alt_names
 
[alt_names]
IP = 127.0.0.1
DNS.1 = localhost
  4. Create root certificate authority (CA) by executing the following set of commands: 
    openssl req -new -keyout cakey.pem -out careq.pem
openssl x509 -signkey cakey.pem -req -days 3650 -in careq.pem -out caroot.cer 
-extensions v3_ca
echo 1234 > serial.txt
  5. Sign the server certificate with root CA private key by executing the following command:
    openssl x509 -CA caroot.cer -CAkey cakey.pem -CAserial serial.txt -req -in 
ocegress.csr -out ocegress.cer -days 365 -extfile ssl.conf -extensions 
req_ext

Note:

The ssl.conf file must be reused, as SAN contents is not packaged when signing.

  1. Create key.txt by entering any password.
  2. Create trust.txt by entering any password.

Creating a Secret

Note: User must create a secret for database access before deploying NSSF.

To create a secret:

  1. Execute kubectl get namespace to list the namespaces.
  2. If name space does not exist, create a new namespace by executing the following command:

    kubectl create namespace <NameSpace>

    where:

    namespace is the deployment namespace used by the helm command.

  3. Generate secret out of the keys and certificates by executing the following command:
    kubectl create secret generic k8SecretName --from-
file=rsa_private_key_pkcs1.pem --from-file=trust.txt --
from-file=key.txt --from-file=ocegress.cer 
--from-file=caroot.cer -n k8NameSpace

    where:

    k8NameSpace is the deployment namespace used by the helm command.

    k8SecretName is the name of secret generated.

    Example:

    kubectl create secret generic accesstoken-secret --from-
file=rsa_private_key_pkcs1.pem --from-file=trust.txt --from-file=key.txt 
--from-file=ocegress.cer --from-file=caroot.cer -n ocnssf