Generating Self-Signed Certificates

4.2.8.2 Generating Self-Signed Certificates

The following steps show how to generate your own self-signed certificates:

Create a Trusted Certificate PKCS12 file (trust.p12) as follows:

On the node where the Management container installation will be run from, create a directory and navigate to that folder, for example:
```
mkdir <workdir>/oaa_ssl
export WORKDIR=<workdir>
cd $WORKDIR/oaa_ssl
```
Generate a 4096-bit private key for the root Certificate Authority (CA):
```
openssl genrsa -out ca.key 4096
```

Create a self-signed root CA certificate (ca.crt):

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

When prompted enter the details to create your CA. For example:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Redwood City
Organization Name (eg, company) [Default Company Ltd]:Example Company
Organizational Unit Name (eg, section) []:Security
Common Name (eg, your name or your server's hostname) []:OAA Certificate Authority
Email Address []:

Generate a PKCS12 file for the CA certificate:
```
openssl pkcs12 -export -out trust.p12 -nokeys -in ca.crt
```
When prompted enter and verify the Export Password.

Note:
Setting an export password is mandatory.

Create a Server Certificate PKCS12 file (cert.p12) as follows:

Generate a 4096 bit private key (oaa.key) for the server certificate:
```
openssl genrsa -out oaa.key 4096
```

Create a Certificate Signing Request (cert.csr):

openssl req -new -key oaa.key -out cert.csr

When prompted enter details to create your Certificate Signing Request (CSR). For example:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Redwood City
Organization Name (eg, company) [Default Company Ltd]:Example Company
Organizational Unit Name (eg, section) []:Security
Common Name (eg, your name or your server's hostname) []:oaa.example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Generate a certificate from the CSR using the CA created earlier:

openssl x509 -req -days 1826 -in cert.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out oaa.crt

Generate a PKCS12 file (cert.p12) from the private key and server certificate:
```
openssl pkcs12 -export -out cert.p12 -inkey oaa.key -in oaa.crt -chain -CAfile ca.crt
```
When prompted enter and verify the Export Password.

Note:
Setting an export password is mandatory.

Additional Information

The files and passwords generated above will be used later in the installOAA.properties. For example:

common.deployment.sslcert=cert.p12
common.deployment.trustcert=trust.p12
common.deployment.keystorepassphrase=<password> where <password> is the password for the cert.p12
common.deployment.truststorepassphrase=<password> where <password> is the password for the trust.p12
common.local.sslcert=<PATH_TO>/cert.p12
common.local.trustcert=<PATH_TO>/trust.p12

For more information on these parameters, see Preparing the Properties file for Installation.