Creating CA signed certificates for the monitoring infrastructure

You can generate Certificate Authority (CA) Root and CA signed certificates for the monitoring infrastructure by using the openssl utility or any other certificate generation tools that comply with your organization rules.

This procedure is intended for users with the role cloud administrator.

Before you begin

  • Ensure that you install the OpenSSL or similar tool on a workstation that you can use to generate the certificates.

Procedure

Complete the following steps on your workstation with root user authority.

  1. Go to the following directory on your workstation to run the openssl command or any similar tool.

    cd $HOME/hpvs/config/monitoring/keys/ca-certificates

  2. Create CA Root certificates by using the following procedure. The root CA certificate will be used to sign CA certificates.

    a. Create the CA root private key. After the command completes, the CA root private key myrootCA.key is generated under the current directory. For example, $HOME/hpvs/config/monitoring/keys/ca-certificates/myrootCA.key.

    openssl genrsa -out myrootCA.key 4096

    b. Create the Certificate Signing Request (CSR) based on the CA root private key. After the command completes, the CSR myrootCA.csr is generated under the current directory. For example, /$HOME/hpvs/config/monitoring/keys/ca-certificates/myrootCA.csr.

    1. The command prompts you to enter values for various certificate fields, such as Organization Unit (OU), Common Name (CN), Email, Country Code, State/Province name, City, Organization or Company Name.
      a. Create the CSR file by using the following command.

      openssl req -verbose -new -key myrootCA.key -out myrootCA.csr -sha256

      b. Create the CA root certificate by using the following command.

      openssl ca  -out myrootCA.crt -keyfile myrootCA.key -verbose -selfsign -md sha256 -infiles myrootCA.csr

    2. If you want to avoid entering each value when the command runs, you can use a OpenSSL configuration file to create the self signed CSR. For example, $HOME/hpvs/config/monitoring/keys/ca-certificates/myca.cnf. For more information about the OpenSSL configuration file, see OpenSSL configuration examples.

      a. Create other required configuration and OpenSSL database by using the following commands.

      cd $HOME/hpvs/config/monitoring/keys/ca-certificates/
touch index.txt
touch index.txt.attr
touch serial
mkdir crl
mkdir newcerts

      Note:

      • Update "dir" in myca.cnf to $HOME/hpvs/config/monitoring/keys/ca-certificates.
      • Those files are required to successfully create a CA root certificate.
      • You must update the file serial and enter a number in the file. For example, 1000. This number signifies the serial number of the certificates being created.

      b. Create the CA root certificate by using the following command. After the command completes, the CA root certificates myrootCA.crt is created under the current directory.

      openssl ca -config $HOME/hpvs/config/monitoring/keys/ca-certificates/myca.cnf -out myrootCA.crt -keyfile myrootCA.key -verbose -selfsign -md sha256 -infiles myrootCA.csr

    c. Validate the CA root certificate by using the following command. After the command completes, the details of the CA root certificate is printed in the output.

    openssl x509 -noout -text -in myrootCA.crt

  3. Create the CSR for the CA signed server certificate or client certificate by completing the instructions.

    a. Make a note of the details to generate certificates such as the Common Name (CN) and Subject Alternative Name (SAN) that you intend to set in the certificate. For example, example.com, myorg.example.com. For more information, see OpenSSL configuration examples.

    b. Go to the a directory on your workstation to run the openssl command or any similar tool.

    cd $HOME/hpvs/config/monitoring/keys/ca-certificates

    c. Create a private key by using the following command. After the command completes, a private key will be created under the current directory.

    • For a server certificate, use the following command.
      openssl genrsa  -out server.key 4096
    • For a client certificate, use the following command.
      openssl genrsa  -out client.key 4096

  4. Create a Certificate Signing Request (CSR) based on the private key you just created. You will be asked to enter values for various certificate fields such as Organization Unit (OU), Common Name (CN), Email, Country Code, State or Province name, City, Organization or Company Name. After the command completes, a CSR file is created under the current directory.

    a. If you choose to enter the values for the certificate fields as prompted, then run the following command to create a server certificate.

    openssl req -new -key server.key -out server-certificate.csr

    Or run the following command to create a client certificate.

    openssl req -new -key client.key -out client-certificate.csr

    b. If you choose to avoid entering these fields on command prompt in an interactive manner, then create a configuration file such as server-certificate.cnf and provide the list of these fields and their values as in the following the command for a server certificate.

    openssl req -new -config server-certificate.cnf -key server.key -out server-certificate.csr

    Or a client-certificate.cnf configuration file as in the following command for a client certificate.

    openssl req -new -config client-certificate.cnf -key client.key -out client-certificate.csr

    Note:

    • To create a server certificate, include the entry extendedKeyUsage=serverAuth in the server-certificate.cnf file.
    • To create a client certificate, include the entry extendedKeyUsage=clientAuth in the client-certificate.cnf file.
    • For the sample configuration files, see OpenSSL configuration examples. After the commands complete, the CSR is created as the $HOME/hpvs/config/monitoring/keys/ca-certificates/server-certificate.csr file or $HOME/hpvs/config/monitoring/keys/ca-certificates/client-certificate.csr file.

  5. Create the CA signed certificates by using the CA root certificate.

    • To create the CA signed server certificate, run the following command.
     openssl x509 -req -days 365 -in $HOME/hpvs/config/monitoring/keys/ca-certificates/server-certificate.csr -CA $HOME/hpvs/config/monitoring/keys/ca-certificates/myrootCA.crt -CAkey $HOME/hpvs/config/monitoring/keys/ca-certificates/myrootCA.key -CAcreateserial -out ./server-certificate.crt
    • To create the CA signed client certificate, run the following command.
    openssl x509 -req -days 365 -in $HOME/hpvs/config/monitoring/keys/ca-certificates/client-certificate.csr -CA $HOME/hpvs/config/monitoring/keys/ca-certificates/myrootCA.crt -CAkey $HOME/hpvs/config/monitoring/keys/ca-certificates/myrootCA.key -CAcreateserial -out ./client-certificate.crt

Next

You can configure the monitoring infrastructure by following the instructions from the topic Working with Monitoring virtual servers.