4.2.8.1 Using a Third Party CA for Generating Certificates
The following steps show how to use a third party Certificate Authority (CA) for generating your certificates:
- On the node where you will run the management container installation, create a
directory and navigate to that folder, for
example:
mkdir <workdir>/oaa_ssl export WORKDIR=<workdir> cd $WORKDIR/oaa_ssl
- Generate a 4096 bit private key (
oaa.key
) for the server certificate:openssl genrsa -out oaa.key 4096
- Create a Certificate Signing Request (
oaa.csr
):
When prompted enter details to create your Certificate Signing Request (CSR). For example:openssl req -new -key oaa.key -out oaa.csr
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:California Locality Name (eg, city) [Default City]:Redwood City Organization Name (eg, company) [Default Company Ltd]:Example Company Organizational Unit Name (eg, section) []:Security Common Name (eg, your name or your server's hostname) []:oaa.example.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
- Send the CSR (
oaa.csr
) to the third party CA. - Once you receive the certificate from the CA, rename the file to
oaa.pem
and copy it to the$WORKDIR/oaa_ssl
directory.Note:
The certificateoaa.pem
needs to be in PEM format. If not in PEM format convert it to PEM using openssl. For example, to convert from DER format to PEM:openssl x509 -inform der -in oaa.der -out oaa.pem
- Copy the Trusted Root CA certificate (
rootca.pem
), and any other CA certificates in the chain (rootca1.pem
,rootca2.pem
, etc) that signed theoaa.pem
to the$WORKDIR/oaa_ssl
directory. As per above, the CA certificates must be in PEM format, so convert if necessary. - If your CA has multiple certificates in a chain, create a
bundle.pem
that contains all the CA certificates:cat rootca.pem rootca1.pem rootca2.pem >>bundle.pem
- Create a Trusted Certificate PKCS12 file (
trust.p12
) from the files as follows:
When prompted enter and verify the Export Password.openssl pkcs12 -export -out trust.p12 -nokeys -in bundle.pem
Note:
Administrators should be aware of the following:- Setting an export password is mandatory.
- If your CA does not have a certificate chain replace
bundle.pem
withrootca.pem
.
- Create a Server Certificate PKCS12 file (
cert.p12
) as follows:
When prompted enter and verify the Export Password.openssl pkcs12 -export -out cert.p12 -inkey oaa.key -in oaa.pem -chain -CAfile bundle.pem
Note:
Administrators should be aware of the following:- Setting an export password is mandatory.
- If your CA does not have a certificate chain replace
bundle.pem
withrootca.pem
.
Additional Information
The files and passwords generated above will be used later in the
installOAA.properties
. For example:
common.deployment.sslcert=cert.p12
common.deployment.trustcert=trust.p12
common.deployment.keystorepassphrase=<password>
where<password>
is the password for thecert.p12
common.deployment.truststorepassphrase=<password>
where<password>
is the password for thetrust.p12
common.local.sslcert=<PATH_TO>/cert.p12
common.local.trustcert=<PATH_TO>/trust.p12
For more information on these parameters, see Preparing the Properties file for Installation.