Creating CA signed certificates for the monitoring infrastructure
You can generate Certificate Authority (CA) Root and CA signed certificates for the monitoring infrastructure by using the openssl
utility or any other certificate generation tools that comply with your organization rules.
This procedure is intended for users with the role cloud administrator.
Before you begin
- Ensure that you install the OpenSSL or similar tool on a workstation that you can use to generate the certificates.
Procedure
Complete the following steps on your workstation with root user authority.
-
Go to the following directory on your workstation to run the
openssl
command or any similar tool.cd $HOME/hpvs/config/monitoring/keys/ca-certificates
-
Create CA Root certificates by using the following procedure. The root CA certificate will be used to sign CA certificates.
a. Create the CA root private key. After the command completes, the CA root private key
myrootCA.key
is generated under the current directory. For example,$HOME/hpvs/config/monitoring/keys/ca-certificates/myrootCA.key
.openssl genrsa -out myrootCA.key 4096
b. Create the Certificate Signing Request (CSR) based on the CA root private key. After the command completes, the CSR
myrootCA.csr
is generated under the current directory. For example,/$HOME/hpvs/config/monitoring/keys/ca-certificates/myrootCA.csr
.-
The command prompts you to enter values for various certificate fields, such as Organization Unit (OU), Common Name (CN), Email, Country Code, State/Province name, City, Organization or Company Name.
a. Create the CSR file by using the following command.openssl req -verbose -new -key myrootCA.key -out myrootCA.csr -sha256
b. Create the CA root certificate by using the following command.
openssl ca -out myrootCA.crt -keyfile myrootCA.key -verbose -selfsign -md sha256 -infiles myrootCA.csr
-
If you want to avoid entering each value when the command runs, you can use a OpenSSL configuration file to create the self signed CSR. For example,
$HOME/hpvs/config/monitoring/keys/ca-certificates/myca.cnf
. For more information about the OpenSSL configuration file, see OpenSSL configuration examples.a. Create other required configuration and OpenSSL database by using the following commands.
cd $HOME/hpvs/config/monitoring/keys/ca-certificates/ touch index.txt touch index.txt.attr touch serial mkdir crl mkdir newcerts
Note:
- Update "dir" in myca.cnf to
$HOME/hpvs/config/monitoring/keys/ca-certificates
. - Those files are required to successfully create a CA root certificate.
- You must update the file
serial
and enter a number in the file. For example,1000
. This number signifies the serial number of the certificates being created.
b. Create the CA root certificate by using the following command. After the command completes, the CA root certificates
myrootCA.crt
is created under the current directory.openssl ca -config $HOME/hpvs/config/monitoring/keys/ca-certificates/myca.cnf -out myrootCA.crt -keyfile myrootCA.key -verbose -selfsign -md sha256 -infiles myrootCA.csr
- Update "dir" in myca.cnf to
c. Validate the CA root certificate by using the following command. After the command completes, the details of the CA root certificate is printed in the output.
openssl x509 -noout -text -in myrootCA.crt
-
-
Create the CSR for the CA signed server certificate or client certificate by completing the instructions.
a. Make a note of the details to generate certificates such as the Common Name (CN) and Subject Alternative Name (SAN) that you intend to set in the certificate. For example,
example.com
,myorg.example.com
. For more information, see OpenSSL configuration examples.b. Go to the a directory on your workstation to run the
openssl
command or any similar tool.cd $HOME/hpvs/config/monitoring/keys/ca-certificates
c. Create a private key by using the following command. After the command completes, a private key will be created under the current directory.
- For a server certificate, use the following command.
openssl genrsa -out server.key 4096
- For a client certificate, use the following command.
openssl genrsa -out client.key 4096
- For a server certificate, use the following command.
-
Create a Certificate Signing Request (CSR) based on the private key you just created. You will be asked to enter values for various certificate fields such as Organization Unit (OU), Common Name (CN), Email, Country Code, State or Province name, City, Organization or Company Name. After the command completes, a CSR file is created under the current directory.
a. If you choose to enter the values for the certificate fields as prompted, then run the following command to create a server certificate.
openssl req -new -key server.key -out server-certificate.csr
Or run the following command to create a client certificate.
openssl req -new -key client.key -out client-certificate.csr
b. If you choose to avoid entering these fields on command prompt in an interactive manner, then create a configuration file such as
server-certificate.cnf
and provide the list of these fields and their values as in the following the command for a server certificate.openssl req -new -config server-certificate.cnf -key server.key -out server-certificate.csr
Or a
client-certificate.cnf
configuration file as in the following command for a client certificate.openssl req -new -config client-certificate.cnf -key client.key -out client-certificate.csr
Note:
- To create a server certificate, include the entry
extendedKeyUsage=serverAuth
in theserver-certificate.cnf
file. - To create a client certificate, include the entry
extendedKeyUsage=clientAuth
in theclient-certificate.cnf
file. - For the sample configuration files, see OpenSSL configuration examples. After the commands complete, the CSR is created as the
$HOME/hpvs/config/monitoring/keys/ca-certificates/server-certificate.csr
file or$HOME/hpvs/config/monitoring/keys/ca-certificates/client-certificate.csr
file.
- To create a server certificate, include the entry
-
Create the CA signed certificates by using the CA root certificate.
- To create the CA signed server certificate, run the following command.
openssl x509 -req -days 365 -in $HOME/hpvs/config/monitoring/keys/ca-certificates/server-certificate.csr -CA $HOME/hpvs/config/monitoring/keys/ca-certificates/myrootCA.crt -CAkey $HOME/hpvs/config/monitoring/keys/ca-certificates/myrootCA.key -CAcreateserial -out ./server-certificate.crt
- To create the CA signed client certificate, run the following command.
openssl x509 -req -days 365 -in $HOME/hpvs/config/monitoring/keys/ca-certificates/client-certificate.csr -CA $HOME/hpvs/config/monitoring/keys/ca-certificates/myrootCA.crt -CAkey $HOME/hpvs/config/monitoring/keys/ca-certificates/myrootCA.key -CAcreateserial -out ./client-certificate.crt
Next
You can configure the monitoring infrastructure by following the instructions from the topic Working with Monitoring virtual servers.