Create the Distribution Client and External RootCA Certificates
This part of the quickstart is a prerequisite to the section Connect the Two Deployments Using the Distribution Path.
Create the Distribution Path Client Certificate
The distribution path client certificate is an additional certificate required when using external trusted root CA certificate for authenticating a connection between the Distribution Path on the source deployment (west) with the external trusted root CA certificate (rootCA_extern) on the target deployment (east). So, creating the distribution path client (dist_client) certificate is a prerequisite. The other certificates for secure source and target deployments must be up and running already.
Follow the given steps, to create configuration file and certificates for the source and target deployment.
-
Create the rootCA_extern certificate:
- Use a configuration file similar to the following for
rootCA_extern:
[ req ] default_bits = 4096 default_md = sha512 prompt = no encrypt_key = no distinguished_name = req_distinguished_name req_extensions = v3_req x509_extensions = v3_ca x509_extensions = usr_cert [ req_distinguished_name ] commonName = "rootCA_extern" [ v3_req ] basicConstraints=CA:TRUE [ v3_ca ] basicConstraints=CA:TRUE [ usr_cert ] basicConstraints=CA:TRUE [ my_extensions ] EOF
-
Use the following command to create the rootCA_extern certificate:
# rootCA certificate openssl req -x509 -newkey rsa:4096 -nodes \ -keyout rootCA_extern.key \ -out rootCA_extern.cert -days 73000 \ -config rootCA_extern.cfg
- Use a configuration file similar to the following for
rootCA_extern:
-
Create an external Distribution Path Client (dist_client) certificate. Create a client_west_to_east.cfg configuration file similar to the following:
-
Create a client_west_to_east.cfg configuration file similar to the following:
[ req ] default_bits = 4096 default_md = sha512 prompt = no encrypt_key = no distinguished_name = req_distinguished_name [ req_distinguished_name ] commonName = "client-west-to-east" [ my_extensions ] EOF
-
Create the client_west_to_east distribution client certificate.
openssl req -new -newkey rsa:2048 -nodes \ -keyout client_west_to_east.key \ -out client_west_to_east.csr \ -config client_west_to_east.cfg
This certificate is verified by the rootCA_extern certificate when the source distribution client (dist_client) connects to the target deployment (east).openssl x509 -req -days 73000 \ -in client_west_to_east.csr \ -CA rootCA_extern.cert \ -CAkey rootCA_extern.key \ -CAcreateserial \ -out client_west_to_east.cert
-