Optional: Creating test root and server certificates

This section describes the optional case of creating your own certificate authority (CA) root certificate and server certificate if needed for testing purposes. However, it is strongly recommended that you use a server certificate issued by a well-known certificate authority. If you use a server certificate issued by a well-known certificate authority, you can skip this section.

About this task

To create the certificate authority (CA) root certificate and server certificate, complete the following steps:

Procedure

  1. Generate a private key:
    openssl genrsa -des3 -out myCA.key 2048
  2. Generate a root certificate. For convenience, identify the certificate as the root certificate in the Common Name field:
    openssl req -x509 -new -nodes -key myCA.key -sha256 -days 
    1825 -out myCA.pem
    Enter pass phrase for myCA.key:
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:Massachusetts
    Locality Name (eg, city) []:Waltham
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company Name
    Organizational Unit Name (eg, section) []:MFA
    Common Name (e.g. server FQDN or YOUR name) []:MFA Root Certificate
    Email Address []:user@company.com
  3. Create a private key:
    openssl genrsa -out test-server.key 2048
  4. Create a certificate signing request (CSR). For convenience, identify the certificate as the server certificate in the Common Name field:
    openssl req -new -key test-server.key -out test-server.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:Massachusetts
    Locality Name (eg, city) []:Waltham
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company Name
    Organizational Unit Name (eg, section) []:MFA
    Common Name (e.g. server FQDN or YOUR name) []:your_server_fqdn
    Email Address []:user@company.com
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
  5. Use an editor to create an extension file for the server certificate. Ensure that you specify subject alternate names that cover all names that a user might enter in the browser to access the server.
    authorityKeyIdentifier=keyid,issuer
    basicConstraints=CA:FALSE
    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    subjectAltName = @alt_names
    
    [alt_names]
    DNS.1 = fully-qualified-host-name
    DNS.2 = short-name
    DNS.3 = IP address
  6. Create the server certificate using the CSR, the CA private key, the CA certificate, and the extension file:
    openssl x509 -req -in test-server.csr -CA myCA.pem -CAkey myCA.key 
    -CAcreateserial -out test-server.pem -days 1825 -sha256 -extfile test-server.ext
    Signature ok
    subject=/C=US/ST=Massachusetts/L=Waltham/O=Company/OU=MFA/CN=fqdn/
    emailAddress=user@company.com
    Getting CA Private Key
    Enter pass phrase for myCA.key:
  7. Display the server certificate. Note that it is issued by the CA root, with the subject alternate names from the extension file.
    openssl x509 -in test-server.pem -text
    
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                e8:e4:50:85:c4:eb:b5:ba
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: C=US, ST=Massachusetts, L=Waltham, O=Compant, OU=MFA, CN=MFA Root Certificate/
    emailAddress=user@company.com
            Validity
                Not Before: Dec  1 19:30:02 2017 GMT
                Not After : Nov 30 19:30:02 2022 GMT
            Subject: C=US, ST=Massachusetts, L=Waltham, O=Company, OU=MFA, CN=fqdn/
    emailAddress=user@company.com
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    Public-Key: (2048 bit)
                    Modulus:
                        00:ac:ed:13:11:8e:34:dd:98:03:19:1c:03:d9:1e:
                        f1:9b:c6:74:00:ce:36:3a:b1:fc:f7:c8:0c:c6:bf:
                        33:91:dc:c5:31:d1:2f:07:03:1b:62:9f:aa:64:d9:
                        e2:1e:ae:6c:d2:ab:4d:29:2b:0e:4b:dc:ef:43:b2:
                        59:14:97:d0:db:ca:fc:d8:67:fa:51:5f:a4:0d:93:
                        d3:ab:b1:e8:cd:24:62:c4:c8:b9:69:f1:f8:e1:8a:
                        49:72:d9:c7:1f:c4:30:31:f7:c9:0a:65:fe:3c:3a:
                        54:cf:9e:de:98:64:8d:04:53:09:08:95:67:10:ba:
                        7e:b6:46:1c:1c:4a:00:75:7c:1c:0d:6e:0e:dd:19:
                        7d:12:c3:be:f7:9d:04:a0:32:92:9d:f2:5e:58:87:
                        95:da:8e:5f:6e:5f:d6:f6:22:74:4d:a5:02:4b:d8:
                        8e:07:98:f9:93:5e:11:67:83:27:dd:3b:90:4c:c1:
                        25:c5:1f:c9:60:fb:0c:02:5d:a5:ed:87:eb:d5:9e:
                        14:fe:12:6a:06:52:34:37:b9:73:70:2b:c4:16:cc:
                        cd:ed:21:d5:3a:3b:12:f1:21:6e:01:ab:51:3d:c9:
                        c7:9e:12:62:b3:8f:53:97:f7:2b:57:f0:2a:52:fe:
                        b7:55:54:d7:fa:05:2d:8a:a9:f2:6a:43:d3:8c:c3:
                        39:31
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Authority Key Identifier:
                    keyid:F5:B2:B7:0E:D7:1A:C3:9B:7B:66:3A:C7:17:1F:42:B5:07:71:FF:94
    
                X509v3 Basic Constraints:
                    CA:FALSE
                X509v3 Key Usage:
                    Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
                X509v3 Subject Alternative Name:
                    DNS:fully-qualified-hostname, DNS:hostname, 
    DNS:IP address
        Signature Algorithm: sha256WithRSAEncryption
             46:25:e4:db:d9:24:93:b7:18:31:c1:96:d0:dd:82:c5:e8:2c:
             da:c3:79:cd:8a:a4:7e:6d:83:62:cc:07:e2:87:9d:2e:2f:54:
             12:9e:a7:47:ce:f3:09:6d:23:6c:8d:4d:b7:19:ca:63:da:92:
             bc:e5:9f:e3:91:92:a5:10:f3:47:56:ca:1f:ec:fe:5c:b6:d2:
             0c:03:a7:49:ee:7d:69:35:44:3d:1b:ce:10:01:d2:0a:5c:51:
             3a:e5:97:93:61:b3:6e:ca:6e:63:cd:44:79:7c:d7:4e:2b:cf:
             40:d3:25:fb:16:9d:49:8b:a8:11:9e:d0:79:3c:5f:9e:51:eb:
             49:6e:62:77:fb:93:fc:2d:a1:b2:e7:77:20:a4:07:4d:6f:c8:
             8e:ff:14:fc:5a:4a:16:c0:9c:21:de:3e:72:8b:16:e7:0e:15:
             00:d5:16:db:2e:8c:e4:0d:e8:9e:d8:de:10:d8:91:4c:df:a5:
             4a:0d:c2:14:03:46:d2:9e:a2:f6:a4:e8:62:58:a5:86:bd:7f:
             de:ed:d7:41:b6:91:c6:1c:cc:cb:85:bb:6a:f3:84:ec:00:d0:
             45:fa:dd:84:73:39:04:12:f9:9d:aa:cc:85:3a:7d:7f:7b:ed:
             01:5f:23:95:3c:a5:11:5d:7e:96:01:64:6c:66:8c:e3:d7:a8:
             af:0e:12:6a
    -----BEGIN CERTIFICATE-----
    MIIEXzCCA0egAwIBAgIJAOjkUIXE67W6MA0GCSqGSIb3DQEBCwUAMIGoMQswCQYD
    VQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVzZXR0czEQMA4GA1UEBwwHV2FsdGhh
    bTEYMBYGA1UECgwPUm9ja2V0IFNvZnR3YXJlMQ0wCwYDVQQLDARQTUZBMR4wHAYD
    VQQDDBVQTUZBIFJvb3QgQ2VydGlmaWNhdGUxJjAkBgkqhkiG9w0BCQEWF3VzZXJA
    cm9ja2V0c29mdHdhcmUuY29tMB4XDTE3MTIwMTE5MzAwMloXDTIyMTEzMDE5MzAw
    MlowgaoxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRAwDgYD
    VQQHDAdXYWx0aGFtMRgwFgYDVQQKDA9Sb2NrZXQgU29mdHdhcmUxDTALBgNVBAsM
    BFBNRkExIDAeBgNVBAMMF1Rlc3QgU2VydmVyIENlcnRpZmljYXRlMSYwJAYJKoZI
    hvcNAQkBFhd1c2VyQHJvY2tldHNvZnR3YXJlLmNvbTCCASIwDQYJKoZIhvcNAQEB
    BQADggEPADCCAQoCggEBAKztExGONN2YAxkcA9ke8ZvGdADONjqx/PfIDMa/M5Hc
    xTHRLwcDG2KfqmTZ4h6ubNKrTSkrDkvc70OyWRSX0NvK/Nhn+lFfpA2T06ux6M0k
    YsTIuWnx+OGKSXLZxx/EMDH3yQpl/jw6VM+e3phkjQRTCQiVZxC6frZGHBxKAHV8
    HA1uDt0ZfRLDvvedBKAykp3yXliHldqOX25f1vYidE2lAkvYjgeY+ZNeEWeDJ907
    kEzBJcUfyWD7DAJdpe2H69WeFP4SagZSNDe5c3ArxBbMze0h1To7EvEhbgGrUT3J
    x54SYrOPU5f3K1fwKlL+t1VU1/oFLYqp8mpD04zDOTECAwEAAaOBhzCBhDAfBgNV
    HSMEGDAWgBT1srcO1xrDm3tmOscXH0K1B3H/lDAJBgNVHRMEAjAAMAsGA1UdDwQE
    AwIE8DBJBgNVHREEQjBAgiF3YWxkZXZwc2NhaXgzOC5yb2NrZXRzb2Z0d2FyZS5j
    b22CDndhbGRldnBzY2FpeDM4ggsxMC4xNy41Ni44MzANBgkqhkiG9w0BAQsFAAOC
    AQEARiXk29kkk7cYMcGW0N2Cxegs2sN5zYqkfm2DYswH4oedLi9UEp6nR87zCW0j
    bI1NtxnKY9qSvOWf45GSpRDzR1bKH+z+XLbSDAOnSe59aTVEPRvOEAHSClxROuWX
    k2GzbspuY81EeXzXTivPQNMl+xadSYuoEZ7QeTxfnlHrSW5id/uT/C2hsud3IKQH
    TW/Ijv8U/FpKFsCcId4+cosW5w4VANUW2y6M5A3ontjeENiRTN+lSg3CFANG0p6i
    9qToYlilhr1/3u3XQbaRxhzMy4W7avOE7ADQRfrdhHM5BBL5narMhTp9f3vtAV8j
    lTylEV1+lgFkbGaM49eorw4Sag==
    -----END CERTIFICATE-----
    
  8. Convert the server certificate and private key to PKCS #12 format. Enter a password of your choice when prompted.
    openssl pkcs12 -export -chain -inkey test-server.key -CAfile 
    myCA.pem -in test-server.pem -out test-server.pfx
    
    Enter Export Password:
    Verifying - Enter Export Password:
    
  9. Configure the IBM® MFA server to use this PKCS #12 server identity and passphrase.
    1. Use the secure copy (scp) command to copy the resulting file to the /etc/security/mfa/certificates directory on the IBM MFA server system.
    2. Change directory (cd) to /opt/IBM/MFA/bin.
    3. Create an input file of the following format:
      # initial trace level for MFA server
      INITIAL TRACE LEVEL=0
      
      # location of the P12 identity certificate for the MFA server
      P12 LOCATION=/etc/security/mfa/certificates/test-server.pfx
      
      # PKCS11 token used while encrypting P12 password
      PKCS11 TOKEN NAME=mfa
      
      # directory or PEM file containing CAs that will be trusted by the MFA server
      CAS LOCATION=/etc/security/mfa/certificates/client.pem
      
      # port to use for server-authentication
      SERVER AUTH PORT=6793
      
      # port to use for mutual authentication
      MUTUAL AUTH PORT=6794
      
      # port to use for ZVM Host communications
      ZVM PORT=6787
      
    4. Run the following command as root.
      ./azf_webserver_config input-file
      See Completing the server setup for complete information on the azf_webserver_config utility parameters.
  10. Use the CA root certificate (myCA.pem in the examples) for the client trust store you create.
    
    TRUSTEDCAS = /etc/security/mfa/certificates/myCA.pem