Instruction for creating self signed certificates for IBM Cloud Cost and Asset Management

Tools needed for creating certificates

openssl
keytool

Pre-requisite

1) In the folder where certificates and keys will be created, create a folder using command

           mkdir -p demoCA/newcerts

2) Create a index.txt file in demoCA directory created above using command.

           touch demoCA/index.txt

Steps to generate certificates

To generate a self-signed SSL certificate using the OpenSSL, complete the following steps:

1) Creating rooCA (Will be created without passphrase)

  a) Generating rootCA key and rootCA request.

        openssl req -new -keyout rootCAkey.pem -out rootCAreq.pem -nodes

  b) Generating rootCAcert certificate which will be used in further steps.

        openssl ca -create_serial -out rootCAcert.pem -days 1095 -batch -keyfile rootCAkey.pem -selfsign -extensions  
           v3_ca -infiles rootCAreq.pem

2) Creating Intermediate CA

  a) Generating CAKey and CAreq

         openssl req -new -keyout CAkey.pem -out CAreq.pem -days 365 -nodes

  b) Generating CAcert certificate based on rooCA key and rootCA certificate generated in Step 1.

         openssl ca -cert rootCAcert.pem -keyfile rootCAkey.pem -policy policy_anything -out CAcert.pem -extensions
         v3_ca -infiles CAreq.pem

3) Creating Final Certs

  a) Generating certificate key and certificate request.

         openssl req -new -keyout certkey.pem -out certreq.pem -days 365 -subj "SUBJ" -nodes

    In above command SUBJ can be something like this - "/C=Country/ST=State/O=Organization/OU=Organization
    Unit/CN=Common Name" . Enter the details accordingly.

  b) Create certificate based on certificate request as generated above.

        openssl ca -cert CAcert.pem -keyfile CAkey.pem -policy policy_anything -out cert.pem -infiles certreq.pem

4) Renaming key, cert and rootCA file:

a) mv cert.pem maria_dev.crt

b) mv certkey.pem maria_dev.key

c) cat rootCAcert.pem CAcert.pem > rootCA.pem

To verify the certificates, run the below commad

    openssl verify -CAfile rootCA.pem maria_dev.crt

Response will be as below for successful verification

    maria_dev.crt: OK

5) For grav.crt and grav.key which will be needed, please use the same certificate and key which is generated for
IBM Cloud Management Platform

6) For generating cloudMatrix.keystore

a) Create a Java KeyStore using below command:

   keytool -genkey -alias "cloudMatrix" -keyalg RSA -keystore cloudMatrix.keystore -validity 10950

   Note : Keep a note of password being entered as it will need to be entered in [file](https://www.ibm.com/support/knowledgecenter/SSMPHF/pre_ccam_properties.html)

b) Import database CA cert into keystore:

   keytool -import –alias mariadevCA -file rootCA.pem -keystore cloudMatrix.keystore