1. Microservices Architecture Documentation
  2. Secure
  3. Oracle GoldenGate Security Feature: Implementation
  4. Create Certificates for a Secure Deployments
  5. Create RootCA and Server Certificates

Create RootCA and Server Certificates

Various client and server certificates may be required for a deployment. To create a trusted root CA and Server certificate for a host deployment, use the commands described in the following sections.

The commands used to generate these certificates are OpenSSL commands.

In the following example, the deployment is done on the host west01. dc1.example.com within the fully qualified domain name dc1.example.com. If you create multiple Oracle GoldenGate instances on different servers, you might replace the server01 with your hostname and replace the qualified domain name accordingly.

Create Trusted RootCA Certificates

Generate a Trusted RootCA Certificate using the following commands:

openssl req -subj "/CN=RootCA"     \
            -newkey rsa:2048       \
            -nodes                 \
            -keyout rootCA_key.pem \
            -new -x509 -days 365   \
            -out rootCA_cert.pem

This command creates two files with the root certificate rootCA_cert.pem and the private key rootCA_key.pem. Both files are stored in the Privacy Exhanced Mail (PEM) format. The private key is created in a Public-Key Cryptography Standards (PKCS) #8 format. The root certificate rootCA_cert.pem is used within a secure Oracle GoldenGate deployment for the server certificate. You can also add the distribution client (distclient) certificate within the deployment. Here, the root certificate is used again.

Create Server Certificates

With the rootCA certificate and private key, you can create the server certificate. Use a configuration file similar to the following for west01_cert.cnf:
extendedKeyUsage = serverAuth
subjectAltName = DNS:west01,DNS:west01.dc1.example.com,DNS:localhost,IP:127.0.0.1
After creating the configuration file for the Server certificate, the following commands are used to create the server certificate and the private key files:
subject="/C=US/O=OGG example/CN=west01"

openssl req -subj "${subject}"     \
        -newkey rsa:2048 -nodes    \
        -keyout west01_key.pem     \
        -new                       \
        -out west01.csr

openssl x509 -CAcreateserial       \
        -CA    rootCA_cert.pem     \
        -CAkey rootCA_key.pem      \
        -req                       \
        -in west01.csr             \
        -extfile west01_cert.cnf   \
        -days 365                  \
        -out west01_cert.pem

Both files are stored in the Privacy Enhanced Mail (PEM) and the private key is created in a Public-Key Cryptography Standards (PKCS) #12 format. The server certificate and server private key are used within the Oracle GoldenGate deployment. The Common Name (CN) within the subject is using the hostname west01 to uniquely identify the server.