Create the Distribution Client and External RootCA Certificates

This part of the quickstart is a prerequisite to the section Connect the Two Deployments Using the Distribution Path.

Create the Distribution Path Client Certificate

The distribution path client certificate is an additional certificate required when using external trusted root CA certificate for authenticating a connection between the Distribution Path on the source deployment (west) with the external trusted root CA certificate (rootCA_extern) on the target deployment (east). So, creating the distribution path client (dist_client) certificate is a prerequisite. The other certificates for secure source and target deployments must be up and running already.

Follow the given steps, to create configuration file and certificates for the source and target deployment.

1. Create the rootCA_extern certificate:

   1. Use a configuration file similar to the following for rootCA_extern:

      [ req ]
      default_bits = 4096
      default_md = sha512
      prompt = no
      encrypt_key = no
      distinguished_name = req_distinguished_name
      req_extensions = v3_req
      x509_extensions = v3_ca
      x509_extensions = usr_cert
      [ req_distinguished_name ]
      commonName = "rootCA_extern"
      [ v3_req ]
      basicConstraints=CA:TRUE
      [ v3_ca ]
      basicConstraints=CA:TRUE
      [ usr_cert ]
      basicConstraints=CA:TRUE
      [ my_extensions ]
      EOF

   2. Use the following command to create the rootCA_extern certificate:

      # rootCA certificate
      openssl req -x509 -newkey rsa:4096 -nodes       \
                  -keyout rootCA_extern.key           \
                  -out rootCA_extern.cert -days 73000 \
                  -config rootCA_extern.cfg
      

2. Create an external Distribution Path Client (dist_client) certificate. Create a client_west_to_east.cfg configuration file similar to the following:

   1. Create a client_west_to_east.cfg configuration file similar to the following:

      [ req ]
      default_bits = 4096
      default_md = sha512
      prompt = no
      encrypt_key = no
      distinguished_name = req_distinguished_name
      [ req_distinguished_name ]
      commonName = "client-west-to-east"
      [ my_extensions ]
      EOF

   2. Create the client_west_to_east distribution client certificate.

      openssl req -new -newkey rsa:2048 -nodes \
                  -keyout client_west_to_east.key           \
                  -out client_west_to_east.csr              \
                  -config client_west_to_east.cfg
      

      This certificate is verified by the rootCA_extern certificate when the source distribution client (dist_client) connects to the target deployment (east).

      
      openssl x509 -req -days 73000            \
                   -in client_west_to_east.csr \
                   -CA rootCA_extern.cert      \
                   -CAkey rootCA_extern.key    \
                   -CAcreateserial             \
                   -out client_west_to_east.cert