...
Create config files
Create openssl_root.cnf (use the complete directory as <base-dir> in "dir")
| Code Block |
|---|
|
[ ca ] # The default CA section
default_ca = CA_default # The default CA name
[ CA_default ] # Default settings for the CA
dir = ~/<base-dir>/myCA/rootCA # CA directory
certs = $dir/certs # Certificates directory
crl_dir = $dir/crl # CRL directory
new_certs_dir = $dir/newcerts # New certificates directory
database = $dir/index.txt # Certificate index file
serial = $dir/serial # Serial number file
RANDFILE = $dir/private/.rand # Random number file
private_key = $dir/private/ca.key.pem # Root CA private key
certificate = $dir/certs/ca.cert.pem # Root CA certificate
crl = $dir/crl/ca.crl.pem # Root CA CRL
crlnumber = $dir/crlnumber # Root CA CRL number
crl_extensions = crl_ext # CRL extensions
default_crl_days = 30 # Default CRL validity days
default_md = sha256 # Default message digest
preserve = no # Preserve existing extensions
email_in_dn = no # Exclude email from the DN
name_opt = ca_default # Formatting options for names
cert_opt = ca_default # Certificate output options
policy = policy_strict # Certificate policy
unique_subject = no # Allow multiple certs with the same DN
[ policy_strict ] # Policy for stricter validation
countryName = match # Must match the issuer's country
stateOrProvinceName = optional # Must match the issuer's state
organizationName = match # Must match the issuer's organization
organizationalUnitName = optional # Organizational unit is optional
commonName = supplied # Must provide a common name
emailAddress = optional # Email address is optional
[ req ] # Request settings
default_bits = 2048 # Default key size
distinguished_name = req_distinguished_name # Default DN template
string_mask = utf8only # UTF-8 encoding
default_md = sha256 # Default message digest
prompt = no # Non-interactive mode
[ req_distinguished_name ] # Template for the DN in the CSR
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (city)
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (section)
commonName = Common Name (your domain)
emailAddress = Email Address
[ v3_ca ] # Root CA certificate extensions
subjectKeyIdentifier = hash # Subject key identifier
authorityKeyIdentifier = keyid:always,issuer # Authority key identifier
basicConstraints = critical, CA:true # Basic constraints for a CA
keyUsage = critical, keyCertSign, cRLSign # Key usage for a CA
[ crl_ext ] # CRL extensions
authorityKeyIdentifier = keyid:always,issuer # Authority key identifier
[ v3_intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
|
...
Create openssl_intermediate.cnf (use the complete directory as <base-dir> in "dir")
| Code Block |
|---|
|
[ ca ] # The default CA section
default_ca = CA_default # The default CA name
[ CA_default ] # Default settings for the intermediate CA
dir = ~/<base-dir>/myCA/intermediateCA # Intermediate CA directory
certs = $dir/certs # Certificates directory
crl_dir = $dir/crl # CRL directory
new_certs_dir = $dir/newcerts # New certificates directory
database = $dir/index.txt # Certificate index file
serial = $dir/serial # Serial number file
RANDFILE = $dir/private/.rand # Random number file
private_key = $dir/private/intermediate.key.pem # Intermediate CA private key
certificate = $dir/certs/intermediate.cert.pem # Intermediate CA certificate
crl = $dir/crl/intermediate.crl.pem # Intermediate CA CRL
crlnumber = $dir/crlnumber # Intermediate CA CRL number
crl_extensions = crl_ext # CRL extensions
default_crl_days = 30 # Default CRL validity days
default_md = sha256 # Default message digest
preserve = no # Preserve existing extensions
email_in_dn = no # Exclude email from the DN
name_opt = ca_default # Formatting options for names
cert_opt = ca_default # Certificate output options
policy = policy_loose # Certificate policy
[ policy_loose ] # Policy for less strict validation
countryName = optional # Country is optional
stateOrProvinceName = optional # State or province is optional
localityName = optional # Locality is optional
organizationName = optional # Organization is optional
organizationalUnitName = optional # Organizational unit is optional
commonName = supplied # Must provide a common name
emailAddress = optional # Email address is optional
[ req ] # Request settings
default_bits = 2048 # Default key size
distinguished_name = req_distinguished_name # Default DN template
string_mask = utf8only # UTF-8 encoding
default_md = sha256 # Default message digest
x509_extensions = v3_intermediate_ca # Extensions for intermediate CA certificate
[ req_distinguished_name ] # Template for the DN in the CSR
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
[ v3_intermediate_ca ] # Intermediate CA certificate extensions
subjectKeyIdentifier = hash # Subject key identifier
authorityKeyIdentifier = keyid:always,issuer # Authority key identifier
basicConstraints = critical, CA:true, pathlen:0 # Basic constraints for a CA
keyUsage = critical, digitalSignature, cRLSign, keyCertSign # Key usage for a CA
[ crl_ext ] # CRL extensions
authorityKeyIdentifier=keyid:always # Authority key identifier
[ server_cert ] # Server certificate extensions
basicConstraints = CA:FALSE # Not a CA certificate
nsCertType = server # Server certificate type
keyUsage = critical, digitalSignature, keyEncipherment # Key usage for a server cert
extendedKeyUsage = serverAuth # Extended key usage for server authentication purposes (e.g., TLS/SSL servers).
authorityKeyIdentifier = keyid,issuer # Authority key identifier linking the certificate to the issuer's public key.
|
...
| Code Block |
|---|
|
cat ~/myCA/intermediateCA/certs/intermediate.cert.pem ~/myCA/rootCA/certs/ca.cert.pem > ~/myCA/intermediateCA/certs/ca-chain.cert.pem
openssl verify -CAfile ~/myCA/intermediateCA/certs/ca-chain.cert.pem ~/myCA/intermediateCA/certs/intermediate.cert.pem
|
Create files for OOM
Create ca-chain file for AAF-SMS:
| Code Block |
|---|
|
cp ~/myCA/intermediateCA/certs/ca-chain.cert.pem ~/myCA/intermediate_root_ca.pem |
File will be stored in https://git.onap.org/oom/tree/kubernetes/aaf/components/aaf-sms/resources/certs?h=kohn
Import CA-chain to cert-wrapper
- Download JDK from Oracle: https://www.oracle.com/java/technologies/downloads/#java20
- Extract "cacerts" file (/<jdk-dir>/lib/security/cacaerts)
- Copy the cacerts file to "truststoreONAPall.jks" and import intermediate_root_ca.pem
| Code Block |
|---|
|
cp ~/myCA/cacerts ~/myCA/truststoreONAPall.jks
keytool -import -alias onaptestca -keystore ~/myCA/truststoreONAPall.jks -file ~/myCA/intermediate_root_ca.pem -storepass changeit
keytool -list -keystore ~/myCA/truststoreONAPall.jks-old|grep onap |
| Code Block |
|---|
|
base64 ~/myCA/truststoreONAPall.jks >~/myCA/truststoreONAPall.jks.b64 |