A.5 Creating Private Keys and Certificate

This section explains the procedure to create private keys and certificate for enabling HTTPs on N32 gateway and PLMN Gateway (both Ingress and Egress).

Note:

Creating keys and certificates are outside SEPP scope and user or operator should perform this at their discretion.

Gateway supports both RSA and ECDSA signing for ingress and egress traffic. Initial algorithm selection is configured by using initialAlgorithm flag in the custom-values.yaml for each gateway.

Select as follow:

• For RSA use RS256
• For ECDSA use ES256

Certificates for selected initial algorithm must be included in the ocsepp-n32-secret and ocsepp-plmn-secret.

Note:

Prerequisites:

Use the following sample file of ssl.conf to configure default entries along with subject alternate name (SAN) details for your certificate.

• ssl.conf has various requirements such as commonName, commonName_default, subjectAltName. Configure these values as per SEPP FQDN configuration.
• The SEPP FQDN can be extracted from ocsepp_custom_values_<version>.yaml file localProfile:interPlmnFqdn:
• Other commands require similar configuration. Keep these parameters consistent across commands.

1. Use the following sample file of ssl.conf to configure default entries along with subject alternate name (SAN) details for your certificate: Run the following command to create ssl.conf file:

   Update the following parameters with SEPP inter PLMN FQDN to be used in TLS certificate:

   • commonName_default
   • commonName
   • DNS.1

   
   cat > ssl.conf << EOF
   #ssl.conf
   [ req ]
   default_bits = 4096
   distinguished_name = req_distinguished_name
   req_extensions = req_ext
    
   [ req_distinguished_name ]
   countryName = Country Name (2 letter code)
   countryName_default = IN
   stateOrProvinceName = State or Province Name (full name)
   stateOrProvinceName_default = Karnataka
   localityName = Locality Name (eg, city)
   localityName_default = Bangalore
   organizationName = Organization Name (eg, company)
   organizationName_default = Oracle
   commonName = sepp2.inter.oracle.com
   commonName_max = 64
   commonName_default = sepp2.inter.oracle.com
    
   [ req_ext ]
   subjectAltName = @alt_names
    
   [alt_names]
   IP = 127.0.0.1
   DNS.1 = sepp2.inter.oracle.com
   EOF

   RSA Certificate Generation (To be done for consumer SEPP and producer SEPP individually)

2. Run the following command to generate RSA private key:

   //Generate rsa_certificate.crt and rsa_private_key
    
   openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout rsa_private_key -out rsa_certificate.crt -subj '/C=IN/ST=Karnataka/L=Bangalore/O=Oracle/CN=sepp2.inter.oracle.com'

3. Run the following command to convert the private key to .pem format:

   
   //Generate rsa_private_key_pkcs1.pem
   openssl rsa -in rsa_private_key -outform PEM -out rsa_private_key_pkcs1.pem

4. Run the following command to generate a certificate using private key:

   /Generate ocsepp.csr
   openssl req -new -key rsa_private_key -out ocsepp.csr -config ssl.conf -subj '/C=IN/ST=Karnataka/L=Bangalore/O=Oracle/CN=sepp2.inter.oracle.com'

5. Run the following command to generate serial.txt file:

   
   ///Generate serial.txt
   echo 1234 > serial.txt

   Root CA creation for self signed certificates (Only done once for any SEPP)

6. Run the following set of commands to create root certificate authority (CA):

   //Generate cakey.pem and careq.pem
   openssl req -new -keyout cakey.pem -out careq.pem -passout pass:${PEM_PHRASE} -subj "/C=IN/ST=Karnataka/L=Bangalore/O=Oracl/CN=sepp2.inter.oracle.com"
    
   //Genearte caroot.cer
   openssl x509 -signkey cakey.pem -req -days 3650 -in careq.pem -out caroot.cer -extensions v3_ca -passin pass:${PEM_PHRASE}
    

   Self Signing RSA Certificates (To be done for consumer and producer SEPP individually)

7. Run the following command to sign the server certificate with root CA private key:

   openssl x509 -CA caroot.cer -CAkey cakey.pem -CAserial serial.txt -req -in ocsepp.csr -out ocsepp.cer -days 365 -extfile ssl.conf -extensions req_ext -passin pass:${PEM_PHRASE}

   ECDSA Certificate Generation and Self Signing (To be done for consumer SEPP and producer SEPP individually)

8. Run the following command to generate ECDSA private key and certificate using private key. After that sign the server certificate with root CA private key:

   
   openssl ecparam -genkey -name prime256v1 -out host.key
    
   openssl req -new -sha256 -key host.key -nodes -out ecdsa_certificate.csr -config ssl.conf -subj "/C=IN/ST=Karnataka/L=Bangalore/O=Oracle/CN=sepp2.inter.oracle.com"
    
   openssl x509 -CA caroot.cer -req -sha256 -days 730 -in ecdsa_certificate.csr -CAkey cakey.pem -CAcreateserial -extfile ssl.conf -extensions req_ext -out ssl_ecdsa_certificate.crt -passin pass:${PEM_PHRASE}
    
   openssl pkcs8 -topk8 -in host.key -out ssl_ecdsa_private_key.pem -nocrypt

9. Create key.txt by entering any password. This password is used to configure gateway key store.

   Example:

   echo "password" > key.txt

10. Create trust.txt by entering any password. This password is used to configure gateway trust store.

    Example:

    echo "password" > trust.txt

11. Run the following commands to create a secret on n32-egress-gateway and n32-ingress-gateway:

    kubectl create secret generic ocsepp-n32-secret --from-file=ssl_ecdsa_private_key.pem --from-file=rsa_private_key_pkcs1.pem --from-file=trust.txt --from-file=key.txt --from-file=caroot.cer --from-file=rsa_certificate.crt --from-file=ssl_ecdsa_certificate.crt --from-file=ocsepp.cer -n <namespace>

    Where, <namespace> is the namespace where SEPP is deployed. example:

    kubectl create secret generic ocsepp-n32-secret --from-file=ssl_ecdsa_private_key.pem --from-file=rsa_private_key_pkcs1.pem --from-file=trust.txt --from-file=key.txt --from-file=caroot.cer --from-file=rsa_certificate.crt --from-file=ssl_ecdsa_certificate.crt --from-file=ocsepp.cer -n seppsvc
    
    

12. Run the following commands to create a secret on plmn-egress-gateway and plmn-ingress-gateway:

    kubectl create secret generic ocsepp-plmn-secret --from-file=ssl_ecdsa_private_key.pem --from-file=rsa_private_key_pkcs1.pem --from-file=trust.txt --from-file=key.txt --from-file=caroot.cer --from-file=rsa_certificate.crt --from-file=ssl_ecdsa_certificate.crt --from-file=ocsepp.cer -n <namespace>

    Where, <namespace> is the namespace where SEPP is deployed. example:

    kubectl create secret generic ocsepp-plmn-secret --from-file=ssl_ecdsa_private_key.pem --from-file=rsa_private_key_pkcs1.pem --from-file=trust.txt --from-file=key.txt --from-file=caroot.cer --from-file=rsa_certificate.crt --from-file=ssl_ecdsa_certificate.crt --from-file=ocsepp.cer -n seppsvc