Introduction
This article shows how to create a root certificate and a derived certificate to sign a package and onboard it to SDC.
Create root certificate CA (Certificate Authority) and its private key
Run the following command that will create the root certificate and it's private key. This certificate will represent the SDC Certificate Authority - CA.
The command will prompt for certificate information and only the field Common Name - CN is important, the rest can be empty. Fill that with any non blank information and do not repeat it in the child certificate that will be created further.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
openssl req -new -nodes -x509 -keyout rootCA-private.key -out rootCA.cert |
Create the package certificate issued by CA
Create the package private key package-private.key and an associated Certificate Signing Request (CSR) package.csr, used to create a certificate based on that key.
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
openssl req -new -nodes -keyout package-private.key -out package.csr |
Now, create the package certificate issued by root certificate. Similar to the root certificate creation process, the command will prompt for certificate information and only the field Common Name - CN is important, the rest can be empty. Fill the CN with any non blank information and do not repeat the root CA certificate CN, otherwise the package signature validation will think the certificate is self signed.
Using the certificate authority/root certificate (-CA rootCA.cert), root certificate private key (-CAkey rootCA-private.key) and the package CSR (-in package.csr), run the following command to generate the package certificate package.cert:
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
openssl x509 -req -CA rootCA.cert -CAkey rootCA-private.key -CAcreateserial -in package.csr -out package.cert |
Sign package with the package certificate and its private key
Choose one method among the two options:
Option 1: the following command will include the signing certificate, package.cert, inside the resulting package.cms:
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
openssl cms -sign -signer package.cert -inkey package-private.key -outform PEM -binary -in package.csar -out package.cms |
...
- package.zip
- package.csar
- package.cms
Option 2: the following command will not include the signing certificate, package.cert, inside the resulting package.cms. The only difference from Option 1 is the addition of -nocerts option:
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
openssl cms -sign -signer package.cert -inkey package-private.key -outform PEM -binary -nocerts -in package.csar -out package.cms |
...
- package.zip
- package.csar
- package.cms
- package.cert
Validate the CMS signature
To validate the CMS generated package.cms, use the following command with the CA rootCA.cert, package certificate package.cert and package.csar:
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
openssl cms -verify -inform PEM -binary -CAfile rootCA.cert -certfile package.cert -in package.cms -content package.csar |
Copy root certificate to the SDC certificate folder
SDC currently keeps the certificates in the data/onap/cert folder. Copy the created rootCA.cert to that folder:
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
cp rootCA.cert /data/onap/cert/rootCA.cert |
This can be done during runtime as SDC will read from that folder every time it validates a package.
<!> Be aware that currently SDC only checks for the number of certificates in /data/onap/cert folder to change the certificates in memory. If the number still the same, it will not update the list of certificates, so a simple replace will change nothing during runtime.
Upload your signed package
Test
...
the
...
certificates
...
by
...
onboarding
...
the
...
signed
...
package
...
to
...
create
...
a
...
SDC
...
VSP
...
(Virtual
...
Software
...
Package).
Utility functions
Print certificate information
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
openssl x509 -text -in root.cert |
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
openssl cms -cmsout -print -inform pem -in package.cms |
...
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
openssl x509 -in ceritificate.cert -pubkey -noout -out public.key |
Verify that a certificate was issued by a Certificate Authority (root certificate)
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
openssl verify -verbose -CAfile rootCA.cert package.cert |
References
- https://www.openssl.org/docs/man1.0.2/man1/cms.html
- http://openssl.cs.utah.edu/docs/apps/cms.html
- https://stackoverflow.com/questions/49390332/openssl-cms-verify-doesnt-work-with-external-certificate
- https://raymii.org/s/tutorials/Sign_and_verify_text_files_to_public_keys_via_the_OpenSSL_Command_Line.html
- https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309
- https://www.freecodecamp.org/news/openssl-command-cheatsheet-b441be1e8c4a/
- https://en.wikipedia.org/wiki/Cryptographic_Message_Syntax
- https://en.wikipedia.org/wiki/Root_certificate