Optional: Creating test root and server certificates
This section describes the optional case of creating your own certificate authority (CA) root certificate and server certificate if needed for testing purposes. However, it is strongly recommended that you use a server certificate issued by a well-known certificate authority. If you use a server certificate issued by a well-known certificate authority, you can skip this section.
About this task
To create the certificate authority (CA) root certificate and server certificate, complete the following steps:
Procedure
-
Generate a private key:
openssl genrsa -des3 -out myCA.key 2048
-
Generate a root certificate. For convenience, identify the certificate as the root certificate
in the Common Name field:
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem
Enter pass phrase for myCA.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Massachusetts Locality Name (eg, city) []:Waltham Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company Name Organizational Unit Name (eg, section) []:MFA Common Name (e.g. server FQDN or YOUR name) []:MFA Root Certificate Email Address []:user@company.com
-
Create a private key:
openssl genrsa -out test-server.key 2048
-
Create a certificate signing request (CSR). For convenience, identify the certificate as the
server certificate in the Common Name field:
openssl req -new -key test-server.key -out test-server.csr
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Massachusetts Locality Name (eg, city) []:Waltham Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company Name Organizational Unit Name (eg, section) []:MFA Common Name (e.g. server FQDN or YOUR name) []:your_server_fqdn Email Address []:user@company.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
-
Use an editor to create an extension file for the server certificate. Ensure that you specify
subject alternate names that cover all names that a user might enter in the browser to access the
server.
authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = fully-qualified-host-name DNS.2 = short-name DNS.3 = IP address
-
Create the server certificate using the CSR, the CA private key, the CA certificate, and the
extension file:
openssl x509 -req -in test-server.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out test-server.pem -days 1825 -sha256 -extfile test-server.ext
Signature ok subject=/C=US/ST=Massachusetts/L=Waltham/O=Company/OU=MFA/CN=fqdn/ emailAddress=user@company.com Getting CA Private Key Enter pass phrase for myCA.key:
-
Display the server certificate. Note that it is issued by the CA root, with the subject
alternate names from the extension file.
openssl x509 -in test-server.pem -text
Certificate: Data: Version: 3 (0x2) Serial Number: e8:e4:50:85:c4:eb:b5:ba Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Massachusetts, L=Waltham, O=Compant, OU=MFA, CN=MFA Root Certificate/ emailAddress=user@company.com Validity Not Before: Dec 1 19:30:02 2017 GMT Not After : Nov 30 19:30:02 2022 GMT Subject: C=US, ST=Massachusetts, L=Waltham, O=Company, OU=MFA, CN=fqdn/ emailAddress=user@company.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:ac:ed:13:11:8e:34:dd:98:03:19:1c:03:d9:1e: f1:9b:c6:74:00:ce:36:3a:b1:fc:f7:c8:0c:c6:bf: 33:91:dc:c5:31:d1:2f:07:03:1b:62:9f:aa:64:d9: e2:1e:ae:6c:d2:ab:4d:29:2b:0e:4b:dc:ef:43:b2: 59:14:97:d0:db:ca:fc:d8:67:fa:51:5f:a4:0d:93: d3:ab:b1:e8:cd:24:62:c4:c8:b9:69:f1:f8:e1:8a: 49:72:d9:c7:1f:c4:30:31:f7:c9:0a:65:fe:3c:3a: 54:cf:9e:de:98:64:8d:04:53:09:08:95:67:10:ba: 7e:b6:46:1c:1c:4a:00:75:7c:1c:0d:6e:0e:dd:19: 7d:12:c3:be:f7:9d:04:a0:32:92:9d:f2:5e:58:87: 95:da:8e:5f:6e:5f:d6:f6:22:74:4d:a5:02:4b:d8: 8e:07:98:f9:93:5e:11:67:83:27:dd:3b:90:4c:c1: 25:c5:1f:c9:60:fb:0c:02:5d:a5:ed:87:eb:d5:9e: 14:fe:12:6a:06:52:34:37:b9:73:70:2b:c4:16:cc: cd:ed:21:d5:3a:3b:12:f1:21:6e:01:ab:51:3d:c9: c7:9e:12:62:b3:8f:53:97:f7:2b:57:f0:2a:52:fe: b7:55:54:d7:fa:05:2d:8a:a9:f2:6a:43:d3:8c:c3: 39:31 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:F5:B2:B7:0E:D7:1A:C3:9B:7B:66:3A:C7:17:1F:42:B5:07:71:FF:94 X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Subject Alternative Name: DNS:fully-qualified-hostname, DNS:hostname, DNS:IP address Signature Algorithm: sha256WithRSAEncryption 46:25:e4:db:d9:24:93:b7:18:31:c1:96:d0:dd:82:c5:e8:2c: da:c3:79:cd:8a:a4:7e:6d:83:62:cc:07:e2:87:9d:2e:2f:54: 12:9e:a7:47:ce:f3:09:6d:23:6c:8d:4d:b7:19:ca:63:da:92: bc:e5:9f:e3:91:92:a5:10:f3:47:56:ca:1f:ec:fe:5c:b6:d2: 0c:03:a7:49:ee:7d:69:35:44:3d:1b:ce:10:01:d2:0a:5c:51: 3a:e5:97:93:61:b3:6e:ca:6e:63:cd:44:79:7c:d7:4e:2b:cf: 40:d3:25:fb:16:9d:49:8b:a8:11:9e:d0:79:3c:5f:9e:51:eb: 49:6e:62:77:fb:93:fc:2d:a1:b2:e7:77:20:a4:07:4d:6f:c8: 8e:ff:14:fc:5a:4a:16:c0:9c:21:de:3e:72:8b:16:e7:0e:15: 00:d5:16:db:2e:8c:e4:0d:e8:9e:d8:de:10:d8:91:4c:df:a5: 4a:0d:c2:14:03:46:d2:9e:a2:f6:a4:e8:62:58:a5:86:bd:7f: de:ed:d7:41:b6:91:c6:1c:cc:cb:85:bb:6a:f3:84:ec:00:d0: 45:fa:dd:84:73:39:04:12:f9:9d:aa:cc:85:3a:7d:7f:7b:ed: 01:5f:23:95:3c:a5:11:5d:7e:96:01:64:6c:66:8c:e3:d7:a8: af:0e:12:6a -----BEGIN CERTIFICATE----- MIIEXzCCA0egAwIBAgIJAOjkUIXE67W6MA0GCSqGSIb3DQEBCwUAMIGoMQswCQYD VQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVzZXR0czEQMA4GA1UEBwwHV2FsdGhh bTEYMBYGA1UECgwPUm9ja2V0IFNvZnR3YXJlMQ0wCwYDVQQLDARQTUZBMR4wHAYD VQQDDBVQTUZBIFJvb3QgQ2VydGlmaWNhdGUxJjAkBgkqhkiG9w0BCQEWF3VzZXJA cm9ja2V0c29mdHdhcmUuY29tMB4XDTE3MTIwMTE5MzAwMloXDTIyMTEzMDE5MzAw MlowgaoxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRAwDgYD VQQHDAdXYWx0aGFtMRgwFgYDVQQKDA9Sb2NrZXQgU29mdHdhcmUxDTALBgNVBAsM BFBNRkExIDAeBgNVBAMMF1Rlc3QgU2VydmVyIENlcnRpZmljYXRlMSYwJAYJKoZI hvcNAQkBFhd1c2VyQHJvY2tldHNvZnR3YXJlLmNvbTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAKztExGONN2YAxkcA9ke8ZvGdADONjqx/PfIDMa/M5Hc xTHRLwcDG2KfqmTZ4h6ubNKrTSkrDkvc70OyWRSX0NvK/Nhn+lFfpA2T06ux6M0k YsTIuWnx+OGKSXLZxx/EMDH3yQpl/jw6VM+e3phkjQRTCQiVZxC6frZGHBxKAHV8 HA1uDt0ZfRLDvvedBKAykp3yXliHldqOX25f1vYidE2lAkvYjgeY+ZNeEWeDJ907 kEzBJcUfyWD7DAJdpe2H69WeFP4SagZSNDe5c3ArxBbMze0h1To7EvEhbgGrUT3J x54SYrOPU5f3K1fwKlL+t1VU1/oFLYqp8mpD04zDOTECAwEAAaOBhzCBhDAfBgNV HSMEGDAWgBT1srcO1xrDm3tmOscXH0K1B3H/lDAJBgNVHRMEAjAAMAsGA1UdDwQE AwIE8DBJBgNVHREEQjBAgiF3YWxkZXZwc2NhaXgzOC5yb2NrZXRzb2Z0d2FyZS5j b22CDndhbGRldnBzY2FpeDM4ggsxMC4xNy41Ni44MzANBgkqhkiG9w0BAQsFAAOC AQEARiXk29kkk7cYMcGW0N2Cxegs2sN5zYqkfm2DYswH4oedLi9UEp6nR87zCW0j bI1NtxnKY9qSvOWf45GSpRDzR1bKH+z+XLbSDAOnSe59aTVEPRvOEAHSClxROuWX k2GzbspuY81EeXzXTivPQNMl+xadSYuoEZ7QeTxfnlHrSW5id/uT/C2hsud3IKQH TW/Ijv8U/FpKFsCcId4+cosW5w4VANUW2y6M5A3ontjeENiRTN+lSg3CFANG0p6i 9qToYlilhr1/3u3XQbaRxhzMy4W7avOE7ADQRfrdhHM5BBL5narMhTp9f3vtAV8j lTylEV1+lgFkbGaM49eorw4Sag== -----END CERTIFICATE-----
-
Convert the server certificate and private key to PKCS #12 format. Enter a password of your
choice when prompted.
openssl pkcs12 -export -chain -inkey test-server.key -CAfile myCA.pem -in test-server.pem -out test-server.pfx
Enter Export Password: Verifying - Enter Export Password:
-
Configure the IBM® MFA server to use this PKCS #12
server identity and passphrase.
- Use the secure copy (scp) command to copy the resulting file to the /etc/security/mfa/certificates directory on the IBM MFA server system.
- Change directory (cd) to /opt/IBM/MFA/bin.
-
Create an input file of the following format:
# initial trace level for MFA server INITIAL TRACE LEVEL=0 # location of the P12 identity certificate for the MFA server P12 LOCATION=/etc/security/mfa/certificates/test-server.pfx # PKCS11 token used while encrypting P12 password PKCS11 TOKEN NAME=mfa # directory or PEM file containing CAs that will be trusted by the MFA server CAS LOCATION=/etc/security/mfa/certificates/client.pem # port to use for server-authentication SERVER AUTH PORT=6793 # port to use for mutual authentication MUTUAL AUTH PORT=6794 # port to use for ZVM Host communications ZVM PORT=6787
-
Run the following command as root.
./azf_webserver_config input-file
See Completing the server setup for complete information on the azf_webserver_config utility parameters.
-
Use the CA root certificate (myCA.pem in the examples) for the client trust
store you create.
TRUSTEDCAS = /etc/security/mfa/certificates/myCA.pem