4.2.8.2 Generating Self-Signed Certificates
The following steps show how to generate your own self-signed certificates:
- Create a Trusted Certificate PKCS12 file (
trust.p12
) as follows:- On the node where the Management container installation will be run from, create a directory and navigate to that folder, for example:
mkdir <workdir>/oaa_ssl export WORKDIR=<workdir> cd $WORKDIR/oaa_ssl
- Generate a 4096-bit private key for the root Certificate Authority (CA):
openssl genrsa -out ca.key 4096
- Create a self-signed root CA certificate (
ca.crt
):
When prompted enter the details to create your CA. For example:openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:California Locality Name (eg, city) [Default City]:Redwood City Organization Name (eg, company) [Default Company Ltd]:Example Company Organizational Unit Name (eg, section) []:Security Common Name (eg, your name or your server's hostname) []:OAA Certificate Authority Email Address []:
- Generate a PKCS12 file for the CA
certificate:
When prompted enter and verify the Export Password.openssl pkcs12 -export -out trust.p12 -nokeys -in ca.crt
Note:
Setting an export password is mandatory.
- On the node where the Management container installation will be run from, create a directory and navigate to that folder, for example:
- Create a Server Certificate PKCS12 file (
cert.p12
) as follows:- Generate a 4096 bit private key (
oaa.key
) for the server certificate:openssl genrsa -out oaa.key 4096
- Create a Certificate Signing Request (
cert.csr
):
When prompted enter details to create your Certificate Signing Request (CSR). For example:openssl req -new -key oaa.key -out cert.csr
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:California Locality Name (eg, city) [Default City]:Redwood City Organization Name (eg, company) [Default Company Ltd]:Example Company Organizational Unit Name (eg, section) []:Security Common Name (eg, your name or your server's hostname) []:oaa.example.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
- Generate a certificate from the CSR using the CA created earlier:
openssl x509 -req -days 1826 -in cert.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out oaa.crt
- Generate a PKCS12 file (
cert.p12
) from the private key and server certificate:
When prompted enter and verify the Export Password.openssl pkcs12 -export -out cert.p12 -inkey oaa.key -in oaa.crt -chain -CAfile ca.crt
Note:
Setting an export password is mandatory.
- Generate a 4096 bit private key (
Additional Information
The files and passwords generated above will be used later in the
installOAA.properties
. For example:
common.deployment.sslcert=cert.p12
common.deployment.trustcert=trust.p12
common.deployment.keystorepassphrase=<password>
where<password>
is the password for thecert.p12
common.deployment.truststorepassphrase=<password>
where<password>
is the password for thetrust.p12
common.local.sslcert=<PATH_TO>/cert.p12
common.local.trustcert=<PATH_TO>/trust.p12
For more information on these parameters, see Preparing the Properties file for Installation.