Create AAF CA certificates
- Andreas Geißler
- Behiç Erdem
Owned by Andreas Geißler
General info from: https://www.golinuxcloud.com/openssl-create-certificate-chain-linux/
Create certificates
Create directory structure
Example under /home/<user> (can be changed)
mkdir -p ~/myCA/rootCA/{certs,crl,newcerts,private,csr}
mkdir -p ~/myCA/intermediateCA/{certs,crl,newcerts,private,csr}
echo 1000 > ~/myCA/rootCA/serial
echo 1000 > ~/myCA/intermediateCA/serial
echo 0100 > ~/myCA/rootCA/crlnumber
echo 0100 > ~/myCA/intermediateCA/crlnumber
touch ~/myCA/rootCA/index.txt
touch ~/myCA/intermediateCA/index.txtCreate config files
Create openssl_root.cnf (use the complete directory as <base-dir> in "dir")
[ ca ] # The default CA section
default_ca = CA_default # The default CA name
[ CA_default ] # Default settings for the CA
dir = /<base-dir>/myCA/rootCA # CA directory
certs = $dir/certs # Certificates directory
crl_dir = $dir/crl # CRL directory
new_certs_dir = $dir/newcerts # New certificates directory
database = $dir/index.txt # Certificate index file
serial = $dir/serial # Serial number file
RANDFILE = $dir/private/.rand # Random number file
private_key = $dir/private/ca.key.pem # Root CA private key
certificate = $dir/certs/ca.cert.pem # Root CA certificate
crl = $dir/crl/ca.crl.pem # Root CA CRL
crlnumber = $dir/crlnumber # Root CA CRL number
crl_extensions = crl_ext # CRL extensions
default_crl_days = 30 # Default CRL validity days
default_md = sha256 # Default message digest
preserve = no # Preserve existing extensions
email_in_dn = no # Exclude email from the DN
name_opt = ca_default # Formatting options for names
cert_opt = ca_default # Certificate output options
policy = policy_strict # Certificate policy
unique_subject = no # Allow multiple certs with the same DN
[ policy_strict ] # Policy for stricter validation
countryName = match # Must match the issuer's country
stateOrProvinceName = optional # Must match the issuer's state
organizationName = match # Must match the issuer's organization
organizationalUnitName = optional # Organizational unit is optional
commonName = supplied # Must provide a common name
emailAddress = optional # Email address is optional
[ req ] # Request settings
default_bits = 2048 # Default key size
distinguished_name = req_distinguished_name # Default DN template
string_mask = utf8only # UTF-8 encoding
default_md = sha256 # Default message digest
prompt = no # Non-interactive mode
[ req_distinguished_name ] # Template for the DN in the CSR
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (city)
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (section)
commonName = Common Name (your domain)
emailAddress = Email Address
[ v3_ca ] # Root CA certificate extensions
subjectKeyIdentifier = hash # Subject key identifier
authorityKeyIdentifier = keyid:always,issuer # Authority key identifier
basicConstraints = critical, CA:true # Basic constraints for a CA
keyUsage = critical, keyCertSign, cRLSign # Key usage for a CA
[ crl_ext ] # CRL extensions
authorityKeyIdentifier = keyid:always,issuer # Authority key identifier
[ v3_intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
Create openssl_intermediate.cnf (use the complete directory as <base-dir> in "dir")
[ ca ] # The default CA section
default_ca = CA_default # The default CA name
[ CA_default ] # Default settings for the intermediate CA
dir = /<base-dir>/myCA/intermediateCA # Intermediate CA directory
certs = $dir/certs # Certificates directory
crl_dir = $dir/crl # CRL directory
new_certs_dir = $dir/newcerts # New certificates directory
database = $dir/index.txt # Certificate index file
serial = $dir/serial # Serial number file
RANDFILE = $dir/private/.rand # Random number file
private_key = $dir/private/intermediate.key.pem # Intermediate CA private key
certificate = $dir/certs/intermediate.cert.pem # Intermediate CA certificate
crl = $dir/crl/intermediate.crl.pem # Intermediate CA CRL
crlnumber = $dir/crlnumber # Intermediate CA CRL number
crl_extensions = crl_ext # CRL extensions
default_crl_days = 30 # Default CRL validity days
default_md = sha256 # Default message digest
preserve = no # Preserve existing extensions
email_in_dn = no # Exclude email from the DN
name_opt = ca_default # Formatting options for names
cert_opt = ca_default # Certificate output options
policy = policy_loose # Certificate policy
[ policy_loose ] # Policy for less strict validation
countryName = optional # Country is optional
stateOrProvinceName = optional # State or province is optional
localityName = optional # Locality is optional
organizationName = optional # Organization is optional
organizationalUnitName = optional # Organizational unit is optional
commonName = supplied # Must provide a common name
emailAddress = optional # Email address is optional
[ req ] # Request settings
default_bits = 2048 # Default key size
distinguished_name = req_distinguished_name # Default DN template
string_mask = utf8only # UTF-8 encoding
default_md = sha256 # Default message digest
x509_extensions = v3_intermediate_ca # Extensions for intermediate CA certificate
[ req_distinguished_name ] # Template for the DN in the CSR
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
[ v3_intermediate_ca ] # Intermediate CA certificate extensions
subjectKeyIdentifier = hash # Subject key identifier
authorityKeyIdentifier = keyid:always,issuer # Authority key identifier
basicConstraints = critical, CA:true, pathlen:0 # Basic constraints for a CA
keyUsage = critical, digitalSignature, cRLSign, keyCertSign # Key usage for a CA
[ crl_ext ] # CRL extensions
authorityKeyIdentifier=keyid:always # Authority key identifier
[ server_cert ] # Server certificate extensions
basicConstraints = CA:FALSE # Not a CA certificate
nsCertType = server # Server certificate type
keyUsage = critical, digitalSignature, keyEncipherment # Key usage for a server cert
extendedKeyUsage = serverAuth # Extended key usage for server authentication purposes (e.g., TLS/SSL servers).
authorityKeyIdentifier = keyid,issuer # Authority key identifier linking the certificate to the issuer's public key.
Create and check root keypair
Create and check root certificate
Create intermediate CA keypair and certificate request
Sign intermediate CSR
Create certificate chain
Create files for OOM
Create ca-chain file for AAF-SMS:
File will be stored in https://git.onap.org/oom/tree/kubernetes/aaf/components/aaf-sms/resources/certs?h=kohn
Import CA-chain to cert-wrapper
Download JDK from Oracle: https://www.oracle.com/java/technologies/downloads/#java20
Extract "cacerts" file (/<jdk-dir>/lib/security/cacaerts)
Copy the cacerts file to "truststoreONAPall.jks" and import intermediate_root_ca.pem
base64 encrypt file
File will be stored in https://git.onap.org/oom/tree/kubernetes/common/cert-wrapper/resources?h=kohn