5.1.9 Generating Server Certificates and Trusted Certificates

OAA uses SSL for communication. For production environments it is recommended to use a commercially available certificate, traceable to a trusted Certificate Authority. For OAA sandbox environments, the OAA installation can generate self-signed certificates which have a validity period of 6 months.

If you want to use self-signed certificates you can skip this section.

If you want to use a commercial certificate then follow:

• Using a Third Party CA for Generating Certificates

Note:

Administrators should be aware that certificates have expiry dates. The expiry date of commercial certificates vary, and self-signed certificates expire after 6 months. It is recommend to renew the certificates about one month before expiry. For more information, see Certificate Management and Expiry.

5.1.9.1 Using a Third Party CA for Generating Certificates

The following steps show how to use a third party Certificate Authority (CA) for generating your certificates:

1. On the <INSTALL_HOST> create an oaassl directory in <WORKDIR> and navigate to the folder, for example:

   mkdir /workdir/oaassl
   cd /workdir/oaassl
   

2. Generate a 4096 bit private key (oaa.key) for the server certificate:

   openssl genrsa -out oaa.key 4096

3. Create a Certificate Signing Request (oaa.csr):

   openssl req -new -key oaa.key -out oaa.csr

   When prompted enter details to create your Certificate Signing Request (CSR). For example:

   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [XX]:US
   State or Province Name (full name) []:California
   Locality Name (eg, city) [Default City]:Redwood City
   Organization Name (eg, company) [Default Company Ltd]:Example Company
   Organizational Unit Name (eg, section) []:Security
   Common Name (eg, your name or your server's hostname) []:oaa.example.com
   Email Address []:
   
   Please enter the following 'extra' attributes
   to be sent with your certificate request
   A challenge password []:
   An optional company name []:

4. Send the CSR (oaa.csr) to the third party CA.
5. Once you receive the certificate from the CA, rename the file to oaa.pem and copy it to the <WORKDIR>/oaa_ssl directory.

   Note:

   The certificate oaa.pem needs to be in PEM format. If not in PEM format convert it to PEM using openssl. For example, to convert from DER format to PEM:

   openssl x509 -inform der -in oaa.der -out oaa.pem

6. Copy the Trusted Root CA certificate (rootca.pem), and any other CA certificates in the chain (rootca1.pem, rootca2.pem, etc) that signed the oaa.pem to the <WORKDIR>/oaa_ssl directory. As per above, the CA certificates must be in PEM format, so convert if necessary.
7. If your CA has multiple certificates in a chain, create a bundle.pem that contains all the CA certificates:

   cat rootca.pem rootca1.pem rootca2.pem >>bundle.pem

8. Create a Trusted Certificate PKCS12 file (trust.p12) from the CA file(s). If your CA does not have a certificate chain, replace bundle.pem with rootca.pem:

   openssl pkcs12 -export -out trust.p12 -nokeys -in bundle.pem

   When prompted enter and verify the Export Password.

   Note:

   Setting an export password is mandatory.
9. Create a Server Certificate PKCS12 file (cert.p12). If your CA does not have a certificate chain, replace bundle.pem with rootca.pem in the following command :

   openssl pkcs12 -export -out cert.p12 -inkey oaa.key -in oaa.pem -chain -CAfile bundle.pem

   When prompted enter and verify the Export Password.

   Note:

   Setting an export password is mandatory.
10. Copy the cert.p12 and trust.p12 to the <WORKDIR>, for example:

    cp /workdir/oaassl/*.p12 /workdir/

Note:

In releases prior to December 24 you also had to import the OAM certificates to the trust.p12. From December 24 onwards, this action is no longer required as the installation will download the correct certificates from OAM and import them for you.

5.1.9.2 Configuration Checkpoint

1. Before proceeding make sure you have the following information:

   Note:

   If you intend to use self-signed certificates created by the installation, you can ignore this section.

   Variable	Your Value	Sample Value	Description
   <USER_CERT_P12>		/workdir/cert.p12	The location of the <WORKDIR>/cert.p12 on the <INSTALL_HOST>. This is only required if you generated third party certificates.
   <USER_CERT_P12_PWD>		password	The password for the cert.p12. This is only required if you generated third party certificates.
   <TRUST_CERT_P12>		/workdir/trust.p12	The location of the <WORKDIR>/trust.p12 on the <INSTALL_HOST>. This is only required if you generated third party certificates.
   <TRUST_CERT_P12_PWD>		password	The password for the trust.p12. This is only required if you generated third party certificates.