Creating OpenSSL certificates for GREP11 Virtual Servers
You can generate Certificate Authority (CA) signed certificates for the Grep11 infrastructure by using the openssl utility.
This procedure is intended for users with the role cloud administrator.
Before you begin
- Ensure that you install the OpenSSL on a workstation that you can use to generate the certificates.
Procedure
Complete the following steps on your workstation with root user authority.
-
Generate the CA key by running the following command.
openssl genrsa -out ca.key 2048 -
Create the CA certificate by running the following command.
openssl req -new -x509 -key ca.key -days 730 -out ca.pem -
Generate the Server key by running the following command.
openssl genrsa -out server-key.pem 2048 -
Export the COMMON_NAME (fully qualified domain name), path length, and Subject Alternative Name (to indicate all of the domain names and IP addresses that are secured by the certificate) by running the following commands. These values will be used to generate the server certificate.
export COMMON_NAME=grep11.example.com export PATHLEN=CA:true export SUBJECT_ALT_NAME=DNS:<domain-name:port>,IP:<ip> e.g. export SUBJECT_ALT_NAME=DNS:grep11.example.com:9876,IP:10.20.6.62 -
Create the
openssl.cnffile and copy the content given below.# OpenSSL configuration file. # # Establish working directory. dir = . [ ca ] default_ca = CA_default [ CA_default ] serial = $dir/serial #database = ${ENV::DIR}/index.txt #new_certs_dir = $dir/newcerts #private_key = $dir/ca.key #certificate = $dir/ca.cer default_days = 730 default_md = sha256 preserve = no email_in_dn = no nameopt = default_ca certopt = default_ca default_crl_days = 45 policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = optional organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_md = sha256 distinguished_name = req_distinguished_name prompt = yes [ req_distinguished_name ] #countryName = Country #countryName_default = US #countryName_min = 2 #countryName_max = 2 #localityName = Locality #localityName_default = Los Angeles #organizationName = Organization #organizationName_default = IBM #commonName = Common Name #commonName_max = 64 C = US ST = California L = Los Angeles O = IBM CN = ${ENV::COMMON_NAME} [ certauth ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always keyUsage = digitalSignature, keyEncipherment, dataEncipherment, keyCertSign, cRLSign keyUsage = digitalSignature, keyEncipherment, dataEncipherment, keyCertSign, cRLSign basicConstraints = ${ENV::PATHLEN} #crlDistributionPoints = @crl [ server ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth nsCertType = server crlDistributionPoints = @crl subjectAltName = ${ENV::SUBJECT_ALT_NAME} [ client ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = clientAuth,msSmartcardLogin nsCertType = client crlDistributionPoints = @crl authorityInfoAccess = @ocsp_section subjectAltName = @alt_names [ selfSignedServer ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always keyUsage = digitalSignature, keyEncipherment, dataEncipherment basicConstraints = CA:FALSE subjectAltName = ${ENV::SUBJECT_ALT_NAME} extendedKeyUsage = serverAuth [ selfSignedClient ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always keyUsage = digitalSignature, keyEncipherment, dataEncipherment basicConstraints = CA:FALSE subjectAltName = @alt_names extendedKeyUsage = clientAuth [ server_client ] subjectKeyIdentifier = hash keyUsage = digitalSignature, keyEncipherment, dataEncipherment basicConstraints = CA:FALSE subjectAltName = ${ENV::SUBJECT_ALT_NAME} crlDistributionPoints = @crl extendedKeyUsage = serverAuth,clientAuth [ v3_intermediate_ca ] # Extensions for a typical intermediate CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, ${ENV::PATHLEN} keyUsage = critical, digitalSignature, cRLSign, keyCertSign crlDistributionPoints = @crl authorityInfoAccess = @ocsp_section [ crl ] URI=http://localhost/ca.crl [ ocsp_section ] OCSP;URI.0 = http://localhost:2560/ocsp [ ocsp ] # Extension for OCSP signing certificates (`man ocsp`). basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer keyUsage = critical, digitalSignature extendedKeyUsage = critical, OCSPSigning [alt_names] # email= ${ENV::SUBJECT_ALT_NAME} otherName=msUPN;UTF8:${ENV::SUBJECT_ALT_NAME} [v3_conf] keyUsage = digitalSignature, keyEncipherment, dataEncipherment, keyCertSign, cRLSign basicConstraints = CA:FALSE -
Create the server certificate signing request by running the following command.
openssl req -new -key server-key.pem -out server.csr -
Create the server certificate by running the following command.
openssl x509 -sha256 -req -in server.csr -CA ca.pem -CAkey ca.key -set_serial 8086 -extfile openssl.cnf -extensions server -days 730 -outform PEM -out server.pem -
Create the client key by running the following command.
openssl genrsa -out client-key.pem 2048 -
Create the client certificate signing request by running the following command.
openssl req -new -key client-key.pem -out client.csr -
Create the client certificate by running the following command.
openssl x509 -req -days 730 -in client.csr -CA ca.pem -CAcreateserial -CAkey ca.key -out client.pem
Next
You can proceed with configuring of the GREP11 infrastructure as instructed in the Working with GREP11 virtual servers