forked from dmargery/bootstrap-geni-am
-
Notifications
You must be signed in to change notification settings - Fork 0
Generating CA, AM certificate and user certificate using openssl
dmargery edited this page Sep 30, 2015
·
5 revisions
These instructions are difficult to keep up to date. If any fail, please refer to the puppet recipes in the repository.
We will create a CA with backing files in /opt/localCA. We first need a password to protect the CA, saved in /etc/ssl/secret
echo "random_passord" > /etc/ssl/secret
chmod 0600 /etc/ssl/secretWe then generate a private key and the ca
mkdir /opt/localCA
mkdir /opt/localCA/private
mkdir /opt/localCA/certs
mkdir /opt/localCA/newcerts
mkdir /opt/localCA/conf
mkdir /opt/localCA/export
mkdir /opt/localCA/csr
echo "01" > /opt/localCA/serial # look into -create_serial option of openssl for a more robust option
chmod -R 0755 /opt/localCA
touch /opt/localCA/index.txt
#Generate certificate authority
cd /opt
/usr/bin/openssl req -new -x509 -days 3650 -keyform PEM -keyout /opt/localCA/private/cakey.pem -outform PEM -out /opt/localCA/certs/ca.pem -passout file:/etc/ssl/secret -batch -subj "${x509_base_subj}/CN=local_ca/emailAddress=${am_staff_mail}"
#x509_base_subj is in the form /C=FR/ST=Bretagne/L=Rennes/O=Inria/OU=<my_testbed>
#am_staff_mailDefault certificate generation scripts for openssl are not able to generate certificates with
- 'X509v3 Subject Alternative Name'
- 'X509v3 Extended Key Usage' You will need to change the default openssl configuration files to do so. We first need a password to protect the AM certificate, saved in /etc/geni-tools-delegate/secret
echo "random_passord" > /etc/geni-tools-delegate/secret
chmod 0600 /etc/geni-tools-delegate/secretWe then generate a certificate request:
/usr/bin/openssl req -new -keyform PEM -keyout /etc/geni-tools-delegate/certs/am-key.pem -outform PEM -out /etc/geni-tools-delegate/certs/am-csr.pem -nodes -passin file:/etc/geni-tools-delegate/secret -batch -subj \"${x509_base_subj}/CN=${fqdn}/emailAddress=${am_staff_mail}\"
#with x509_base_subj and am_staff_mail as previously and
#fqdn aggregate manager name