cb0245cfab
Modified the note to include <the certificate file> Removed trailing spaces and fixed Patchset 7 comments Updated Patchset 6 comments and removed the word platform Fixed formatting issues Updated Patchset 4 comments Added additional notes in multiple topics listed in the review Updated the Security / Upgrade Guide with a note Change-Id: If0a88e88268b2a4540b6abf97bc7b5ca9049747c Signed-off-by: Juanita Balaraj <juanita.balaraj@windriver.com> Change-Id: I5686cda10f4ac9b184f5ac1e6ceec003b09155d2
77 lines
2.2 KiB
ReStructuredText
77 lines
2.2 KiB
ReStructuredText
|
|
.. rmn1594906401238
|
|
.. _create-certificates-locally-using-openssl:
|
|
|
|
=========================================
|
|
Create Certificates Locally using openssl
|
|
=========================================
|
|
|
|
You can use :command:`openssl` to locally create certificates suitable for
|
|
use in a lab environment.
|
|
|
|
.. note::
|
|
|
|
Ensure the certificates have RSA key length >= 2048 bits. The
|
|
|prod-long| Release |this-ver| provides a new version of ``openssl`` which
|
|
requires a minimum of 2048-bit keys for RSA for better security / encryption
|
|
strength.
|
|
|
|
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
|
|
and looking for the "Public-Key" in the output.
|
|
|
|
.. rubric:: |proc|
|
|
|
|
.. _create-certificates-locally-using-openssl-steps-unordered-pln-qhc-jmb:
|
|
|
|
#. Create a Root |CA| Certificate and Key
|
|
|
|
#. Create the Root CA private key.
|
|
|
|
.. code-block:: none
|
|
|
|
$ openssl genrsa -out my-root-ca-key.pem 2048
|
|
|
|
#. Generate the Root CA x509 certificate.
|
|
|
|
.. code-block:: none
|
|
|
|
$ openssl req -x509 -new -nodes -key my-root-ca-key.pem \
|
|
-days 1024 -out my-root-ca-cert.pem -outform PEM
|
|
|
|
#. Create and Sign a Server Certificate and Key.
|
|
|
|
#. Create the Server private key.
|
|
|
|
.. code-block:: none
|
|
|
|
$ openssl genrsa -out my-server-key.pem 2048
|
|
|
|
#. Create the Server certificate signing request (csr).
|
|
|
|
Specify "CN=registry.local" and do not specify a challenge password.
|
|
|
|
.. code-block:: none
|
|
|
|
$ openssl req -new -key my-server-key.pem -out my-server.csr
|
|
|
|
#. Create the |SANs| list.
|
|
|
|
.. code-block:: none
|
|
|
|
$ echo subjectAltName = IP:<WRCP-OAM-Floating-IP>,IP:<WRCP-MGMT-Floating-IP>,DNS:registry.local,DNS:registry.central > extfile.cnf
|
|
|
|
#. Use the my-root-ca to sign the server certificate.
|
|
|
|
.. code-block:: none
|
|
|
|
$ openssl x509 -req -in my-server.csr -CA my-root-ca-cert.pem \
|
|
-CAkey my-root-ca-key.pem -CAcreateserial -out my-server-cert.pem \
|
|
-days 365 -extfile extfile.cnf
|
|
|
|
#. Put the server certificate and key into a single file.
|
|
|
|
.. code-block:: none
|
|
|
|
$ cat my-server-cert.pem my-server-key.pem > my-server.pem
|
|
|