C Creating Private Keys and Certificate
This section explains the procedure to create private keys and certificate for the
following:
- creating keys and certs for HTTPS
- creating keys and certs for the Access Token microservice
- creating keys and certs for CCA in CCA header
Note:
Creation process for private keys and signed certificates are at the discretion of user or operator.- Run the following command to generate RSA private
key:
openssl req -x509 -nodes -sha256 -days 365 -newkey rsa:2048 -keyout rsa_private_key -out rsa_certificate.crt -config ssl.conf -passin pass:"keystorepasswd" -passout pass:"keystorepasswd" - Run the following command to convert the private key to .pem
format:
openssl rsa -in rsa_private_key -outform PEM -out rsa_private_key_pkcs1.pem -passin pass:"keystorepasswd" -passout pass:"keystorepasswd" - Run the following command to generate a certificate using private
key:
openssl req -new -key rsa_private_key -out apigatewayrsa.csr -config ssl.conf -passin pass:"keystorepasswd" -passout pass:"keystorepasswd"Use the following sample file of ssl.conf to configure default entries along with Subject Alternative Name (SAN) details for your certificate:#ssl.conf [ req ] default_bits = 4096 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = IN stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Karnataka localityName = Locality Name (eg, city) localityName_default = Bangalore organizationName = Organization Name (eg, company) organizationName_default = Oracle commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 commonName_default = localhost [ req_ext ] subjectAltName = @alt_names [alt_names] IP = 127.0.0.1 DNS.1 = localhost - Run the following set of commands to create root certificate authority
(CA):
openssl req -new -keyout cakey.pem -out careq.pem -config ssl.conf -passin pass:"keystorepasswd" -passout pass:"keystorepasswd"openssl x509 -signkey cakey.pem -req -days 3650 -in careq.pem -out caroot.cer -extensions v3_ca -passin pass:"keystorepasswd" echo 1234 > serial.txt - Run the following command to sign the server certificate with root CA private
key:
openssl x509 -CA caroot.cer -CAkey cakey.pem -CAserial serial.txt -req -in apigatewayrsa.csr -out apigatewayrsa.cer -days 365 -extfile ssl.conf -extensions req_ext -passin pass:"keystorepasswd" - Run the following command to generate ECDSA private
key:
openssl ecparam -genkey -name prime256v1 -noout -out ecdsa_private_key.pemopenssl pkcs8 -topk8 -in ecdsa_private_key.pem -inform pem -out ecdsa_private_key_pkcs8.pem -outform pem -nocrypt - Run the following command to generate a certificate using private
key:
openssl req -new -key ecdsa_private_key_pkcs8.pem -x509 -nodes -days 365 -out ecdsa_certificate.crt -config ssl.confopenssl req -new -key ecdsa_private_key_pkcs8.pem -out apigatewayecdsa.csr -config ssl.conf -passin pass:"keystorepasswd" -passout pass:"keystorepasswd" - Run the following command to sign the server certificate with root CA
private
key:
openssl x509 -CA caroot.cer -CAkey cakey.pem -CAserial serial.txt -req -in apigatewayecdsa.csr -out apigatewayecdsa.cer -days 365 -extfile ssl.conf -extensions req_ext -passin pass:"keystorepasswd"Following are the supported algorithms in TLS handshake:Table C-1 Supported Algorithms for TLS Handshake
Algorithm Key Size (bytes) Elliptic Cure RS256 2048 NA RS256 4096 Note: This is recommended value.
NA ES256 NA SECP384r1 Note: This is recommended value.
ES256 NA secp256r1 - Create
key.txtby entering any password:For example:
echo "keystorepasswd" > key.txt - Create trust.txt by entering any password:
For example:
echo "truststorepasswd" > trust.txt - Run the following commands to create a secret:
- Run the following command to create a
namespace:
kubectl create namespace <namespace>Where,
<namespace>is the namespace where NRF is deployed.For example:kubectl create namespace ocnrfSample output:namespace/ocnrf created - Run the following command to create the secret:
kubectl create secret generic <service>-secret --from-file=ecdsa_private_key.pem --from-file=rsa_private_key.pem --from-file=rsa_certificate.crt --from-file=ecdsa_certificate.crt -n <Namespace>For example:kubectl create secret generic ocnrfaccesstoken-secret --from-file=ecdsa_private_key.pem --from-file=rsa_private_key.pem --from-file=rsa_certificate.crt --from-file=ecdsa_certificate.crt -n ocnrf
Where,
<service>is Ingress, Egress Gateway or OAuth Token.<Namespace>is the namespace where NRF is deployed. - Run the following command to create a
namespace:
Creating Private Keys and Certificate for CCA header
- Run the following commands to generate CA root certificate:
openssl req -new -keyout cakey.pem -out careq.pem -subj "/C=IN/ST=KA/L=BLR/O=ORACLE/OU=CGBU/CN=ocnrf-endpoint.ocnrf.svc.cluster.local" -passin pass:$OPT_KEY_PWD -passout pass:$OPT_KEY_PWDopenssl x509 -signkey cakey.pem -req -days 3650 -in careq.pem -out caroot.cer -extensions v3_ca -passin pass:$OPT_KEY_PWD - Run the following command to generate certificates:
- Run the following commands to generate a Private
Key.
openssl ecparam -genkey -name prime256v1 -noout -out ec_private_key.pemopenssl pkcs8 -topk8 -in ec_private_key.pem -inform pem -out ec_private_key_pkcs8.pem -outform pem -nocrypt - Run the following command to create certificate signing
request:
openssl req -new -key ec_private_key_pkcs8.pem -out cca.csr -subj '//x=1/C=IN/ST=KA/L=BLR/O=ORACLE/OU=CGBU/CN=gateway-ingress-gateway.gateway.svc.cluster.local' - Run the following command to create config file for
SAN:
touch config.ext echo 'subjectAltName = URI:urn:uuid:<NfInstanceId>' > config.ext - Run the following command to get the signed certificate
with configured CA bundle (root):
openssl x509 -CA ../ca/caroot.cer -CAkey ../ca/cakey.pem -days 3650 -req -in cca.csr -set_serial 01 -out cca.crt -extfile config.ext -passin pass:oracle
X5c data in JWT token created by consumer NF contains the cca.crt file content.
- Run the following commands to generate a Private
Key.