Creating the certificates

You need to create the certificates to communicate with the Hyper Protect Secure Build server.

Creating the client certificate and client CA

Complete the following steps:

  1. Use the build.py to create certificate-authority (CA) and client certificates that are used for the secure communication from your client script to the HPSB instance.

      ./build.py create-client-cert --env <path>/sbs-config.json

    After the command completes, a directory is created similar to this name .SBContainer-9ab033ad-5da1-4c4e-8eae-ca8c468dbbcc.d. . In the sbs-config.json file, two additional parameters UUID and SECRET are added.

    • UUID is used along with the container name where the generated certificates are stored.
    • SECRET holds a randomly generated value, which needs to be perserved securely and is used to deal with the base image of HPSB when creating the server certificate and server key.

    Note:

    • Follow the best practices of certificate management.
    • The CA certificate must not be compromised or revoked.
    • Third-party certificates are not supported.

  2. Use your own certificate-authority (CA) and client certificates.

    1. Go to the CLI directory. If it is located at ~/git, run the following command:
      cd ~/git/secure-build-cli
    2. Add the following path names to the sbs-config.json file. Note that the server-csr.pem and server-cert.pem do not exist as yet. If the ./sbs-keys directory does not exist, you can create one by using the command mkdir ./sbs-keys.
      "CAPATH": "Path to CA certificate",
"CAKEYPATH": "Path to CA key",
"CLIENT_CRT_KEY": "Path to concatenated client cert and key",   //cat my-client-cert.pem my-client-cert-key.pem > my-client-cert-and-key.pem
"CSRPATH": "./sbs-keys/server-csr.pem",
"CERTPATH": "./sbs-keys/server-cert.pem",
      Note:
      • Follow the best practices of certificate management.
      • The CA certificate must not be compromised or revoked.
      • Third-party certificates are not supported.

Creating the server certificate and server key

Use the build.py to create the server certificate signed by the CA certificate that was generated in the previous step. It will be used to setup the secure communication on the server.

./build.py create-server-cert --env <path>/sbs-config.json

Retrieving the client certificate and CA, server certificate and key in Base64 encoding

Get the environment key value pair to be used in the instance-create command by running the following command.

./build.py instance-env --env <path>/sbs-config.json

Take note of the values of CLIENT_CRT, CLIENT_CA, SERVER_CRT, SERVER_KEY from the command output.