A.1 Certificate Configuration Examples
A.1.1 Creating End Entity (NF) Certificate Using OCCM - Sample Configuration
This section describes the sequence of steps to be performed to generate a signed certificate (NF certificate) using OCCM
- Create the Issuer:
The following screenshots provide a sample configuration for creating the issuer using CNC Console GUI
-
Figure -7 Create Issuer
-
Figure -8 Initial CMP Client (OCCM) Authentication Options
-
Figure -9 CMP Client Authentication Options for Other Certificate
- To enable HTTPS communication, provide HTTPS scheme in the server URL field
and provide the TLS trust store certificates under TLS config.
Figure -10 HTTPS Scheme
Figure -11 Enable TLS Config
-
- Create CMP Identity (OCCM) Certificate:
The following screenshots provide a sample configuration for creating CMP Identity (OCCM) certificate using CNC Console GUI. Here, OCCM certificate is configured manually.
-
Figure -12 Create CMP Identity (OCCM) Certificate
-
Figure -13 Private Key Options
-
Figure -14 Public Key Certificate Options
-
Figure -15 Subject and Subject Alternate Name
-
Figure -16 Certificate Output and Certificate Chain Output
-
- Create End Entity (NF) Certificate: (PEM encoding):
The following screenshots provide a sample configuration for creating NF Certificate using CNC Console GUI.
-
Figure -17 Create End Entity (NF) Certificate
-
Figure -18 Private Key Options
-
Figure -19 Public Key Options
-
Figure -20 Subject and Subject Alternate Names
-
Figure -21 Certificate Output
-
- Check Grafana Dashboard
Check the grafana dashboard to view the certificates created.
Figure -22 End Entity (NF) Sample Grafana Dasboard
Figure -23 CMP Identity (OCCM) Sample Grafana Dasboard
The screenshot shows that NRF TLS Cert and CA1 certificates are created successfully. The left panel indicates their expiry time and the right panel shows that both are ready to be consumed.
- Verify Kubernetes Secret
After the certificate request is submitted, verify whether the k8s secret specified under private key output and certificate output location is created or not.
Run the following command to get the content of the Kubernetes secret:kubectl get secret <k8s-secret-name> -n <namespace> -o yamlFor example:$ kubectl get secret nrf-tls-secret -n ns1 -o yaml apiVersion: v1 data: nrfcert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCkXXXXXXXXXX nrfcertchain.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tXXXXXXXXXXX nrfkey.pem: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1XXXXXXXXXXX kind: Secret metadata: creationTimestamp: "2024-12-10T07:31:21Z" name: nrf-tls-secret namespace: ns1 resourceVersion: "563348905" uid: f0eb452d-e977-4809-99b0-c541b154dabe type: OpaqueOutput of openssl x509 command for the certificate:kubectl get secret <k8s-secret-name> -n <namespace> -o=go-template='{{index .data "<certificate-output-K8s-secret-key>"}}' | base64 -d | openssl x509 -text -nooutFor example:$ kubectl get secret nrf-tls-secret -n ns1 -o=go-template='{{index .data "nrfcert.pem"}}' | base64 -d | openssl x509 -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: XXXXXXXXX Signature Algorithm: sha256WithRSAEncryption Issuer: CN = x.company.com Validity Not Before: Dec 10 07:31:22 2024 GMT Not After : Dec 10 07:31:21 2025 GMT Subject: C = IN, ST = KA, L = BLR, O = Oracle, OU = CGBU, CN = a.company.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c9:1b:35:bf:21:e6:1f:69:9e:78:25:07:4b:6e: XXXXXXXXX Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: Digital Signature X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication X509v3 Basic Constraints: CA:FALSE X509v3 Subject Alternative Name: IP Address:10.10.10.20, IP Address:10.10.10.21, DNS:y.commpany.com, DNS:z.commpany.com, URI:urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6 X509v3 Subject Key Identifier: 2B:0D:XXXXXXXXXXXX X509v3 Authority Key Identifier: 20:03:XXXXXXXXXXX Signature Algorithm: sha256WithRSAEncryption Signature Value: XXXXXXXXXXXXXXXXXXXXXXX
Create NF Certificate (DER encoding):
The following screenshots provide a sample configuration for creating DER encoded NF Certificate using CNC Console GUI.
- Certificate metadata
Figure -24 Certificate Metadata
-
Private Key Options
Figure -25 Private Key Options
- Public Key Certificate Options
Figure -26 Public Key Certificate Options
- Subject
Figure -27 Subject
-
Subject Alternate names
Figure -28 Subject Alternate names
- Optional Certificate chain output and CA bundle input fields
Figure -29 Optional Certificate chain output and CA bundle input fields
Check Grafana dashboard
Figure -30 End Entity (NF) Sample Grafana Dasboard
The screenshot shows that NRF-TLS Certificate is created successfully. The left panel indicates its expiry time and the right panel shows that it is ready to be consumed.
Verify Kubernetes secret
After the certificate request is submitted, verify whether the Kubernetes secret specified under private key output and certificate output location is created or not.
Run the following command to get the content of the Kubernetes secret:
kubectl get secret <k8s-secret-name> -n <namespace> -o yaml$ kubectl get secret nrf-tls-secret -n ns1 -o yaml
apiVersion: v1
data:
nrf.cer: MIIDrTCCApWgAwIBXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
nrfkey.der: MIIEogIBAAKXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
kind: Secret
metadata:
creationTimestamp: "2024-12-10T07:31:21Z"
name: nrf-tls-secret
namespace: ns1
resourceVersion: "346496359"
uid: 2dbdb2d7-313d-45d9-a634-642d14f01fa5
type: Opaquekubectl get secret <k8s-secret-name> -n <namespace> -o=go-template='{{index .data "<certificate-output-K8s-secret-key>"}}' | base64 -d | openssl x509 -text -noout -inform DER$ kubectl get secret nrf-tls-secret -n ns1 -o=go-template='{{index .data "nrf.cer"}}' | base64 -d | openssl x509 -text -noout -inform DER
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
3c:47:05:d7:ee:4c:ce:bb:8f:26:07:c2:a1:9b:92:2c:87:e1:7c:3f
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = x.company.com
Validity
Not Before: Dec 10 07:31:22 2024 GMT
Not After : Dec 10 07:31:21 2025 GMT
Subject: C = IN, ST = KA, L = BLR, O = Oracle, OU = CGBU, CN = a.company.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:ba:95:23:61:2f:31:55:e3:06:7b:b6:b7:67:cd:
XXXXXXX
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Alternative Name: critical
IP Address:10.10.10.20, IP Address:10.10.10.21, DNS:y.company.com, DNS:z.company.com
X509v3 Authority Key Identifier:
keyid:FB:4A:01:07:D4:8D:BB:0B:E4:50:72:75:10:8E:81:57:33:66:0D:3E
X509v3 Subject Key Identifier:
A3:82:F6:67:94:35:37:A6:0B:4B:03:9C:0D:B9:A8:72:8D:59:73:85
Signature Algorithm: sha256WithRSAEncryption
0a:c2:81:ec:89:91:b4:aa:24:22:33:54:e1:92:db:07:cf:6f:
XXXXXXXXA.1.2 Recreating Certificates - Sample Configuration
This section describes the sequence of steps to be performed to recreate certificates when OCCM or NF certificate configuration has been accepted.
- Log in to CNC Console using your login credentials and select the OCCM Instance.
- Click OCCM from the left pane and then click Certificate.
- Click Edit under
Actions for the certificate you want to recreate.
The Recreate Certificate page appears. The configurations on this page are not editable.
Figure -31 Certificate Page
Figure -32 Recreate Certificate Page
- On the Recreate Certificate page, click
Save to trigger the recreate request.
Figure -33 Click Save
- When the recreate certificate request has been submitted, verify if
the Kubernetes secret specified under private key output and certificate output
has been recreated. Run the following command to verify the Kubernetes
secret:
kubectl get secret <k8s-secret-name> -n <namespace> -o yamlA sample response is as follows:data: nrf.cer: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQ4ekNDQWx1Z0F3SUJBZ0lVSlgvNlBsVXFhaEJaYUVOcm..... nrfkey.pem: MHcCAQEEIHtK36V377+977+9akke77+9Xe+/ve+/vQMcHe+/vRXvv73vv70n77+9VO+/vVPvv73vv70RcE4577+9CgYIKu+/v..... kind: Secret metadata: creationTimestamp: "2024-05-03T11:05:08Z" name: nrf-tls-secret03052402 namespace: ns1 resourceVersion: "219805879" uid: 7e0d4bbf-291f-4fd2-a3d6-d42b8eff1994 type: Opaque - Check the Grafana dashboard to view the recreated certificate.