Using a Third Party CA for Generating Certificates

4.2.8.1 Using a Third Party CA for Generating Certificates

The following steps show how to use a third party Certificate Authority (CA) for generating your certificates:

On the node where you will run the management container installation, create a directory and navigate to that folder, for example:
```
mkdir <workdir>/oaa_ssl
export WORKDIR=<workdir>
cd $WORKDIR/oaa_ssl
```
Generate a 4096 bit private key (oaa.key) for the server certificate:
```
openssl genrsa -out oaa.key 4096
```

Create a Certificate Signing Request (oaa.csr):

openssl req -new -key oaa.key -out oaa.csr

When prompted enter details to create your Certificate Signing Request (CSR). For example:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Redwood City
Organization Name (eg, company) [Default Company Ltd]:Example Company
Organizational Unit Name (eg, section) []:Security
Common Name (eg, your name or your server's hostname) []:oaa.example.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Send the CSR (oaa.csr) to the third party CA.
Once you receive the certificate from the CA, rename the file to oaa.pem and copy it to the $WORKDIR/oaa_ssl directory.
Note:
The certificate oaa.pem needs to be in PEM format. If not in PEM format convert it to PEM using openssl. For example, to convert from DER format to PEM:
```
openssl x509 -inform der -in oaa.der -out oaa.pem
```
Copy the Trusted Root CA certificate (rootca.pem), and any other CA certificates in the chain (rootca1.pem, rootca2.pem, etc) that signed the oaa.pem to the $WORKDIR/oaa_ssl directory. As per above, the CA certificates must be in PEM format, so convert if necessary.
If your CA has multiple certificates in a chain, create a bundle.pem that contains all the CA certificates:
```
cat rootca.pem rootca1.pem rootca2.pem >>bundle.pem
```
Create a Trusted Certificate PKCS12 file (trust.p12) from the files as follows:
```
openssl pkcs12 -export -out trust.p12 -nokeys -in bundle.pem
```
When prompted enter and verify the Export Password.
Note:
Administrators should be aware of the following:
- Setting an export password is mandatory.
- If your CA does not have a certificate chain replace bundle.pem with rootca.pem.
Create a Server Certificate PKCS12 file (cert.p12) as follows:
```
openssl pkcs12 -export -out cert.p12 -inkey oaa.key -in oaa.pem -chain -CAfile bundle.pem
```
When prompted enter and verify the Export Password.
Note:
Administrators should be aware of the following:
- Setting an export password is mandatory.
- If your CA does not have a certificate chain replace bundle.pem with rootca.pem.

Additional Information

The files and passwords generated above will be used later in the installOAA.properties. For example:

common.deployment.sslcert=cert.p12
common.deployment.trustcert=trust.p12
common.deployment.keystorepassphrase=<password> where <password> is the password for the cert.p12
common.deployment.truststorepassphrase=<password> where <password> is the password for the trust.p12
common.local.sslcert=<PATH_TO>/cert.p12
common.local.trustcert=<PATH_TO>/trust.p12

For more information on these parameters, see Preparing the Properties file for Installation.