Generate RBA server key and certificate request
Follow these steps to generate the RBA server key and certificate request.
Procedure
- Log in to the RBA server.
-
Create the RBA server key file in a temporary directory. You can use another path if /tmp is
not secure enough to temporarily store the new private key file:
mkdir -p /tmp/rbakeys cd /tmp/rbakeys openssl genrsa -out rbaServerKey.pem 2048
Note: The server key filerbaServerKey.pem
must not be encrypted using a passphrase. -
Create an OpenSSL request configuration file called
rbaServerCertReq.config
with the following content:
You can remove items that are unnecessary for your organization from the list of informational items below the [dn] entry. However, you must include the CN item. You can also add additional informational items (such as email address) according to the OpenSSL specification. Replace the remaining placeholders <...> with the appropriate information. For the CN field, enter the fully qualified domain name of the RBA server, for example,[req] req_extensions = v3_req distinguished_name = dn prompt = no [dn] CN = <FQDN of your RBA server> C = <Country Name (2 letter code)> L = <Locality Name (eg, city)> O = <Organization Name (eg, company)> OU = <Organizational Unit Name (eg, section)> [v3_req] subjectAltName = DNS:<FQDN of your RBA server>
myrbaserver.mycompany.com
. In the other fields, enter data that describes your location and organization, in accordance with your company’s security guidelines. -
Create the RBA server certificate signing request (CSR) file:
openssl req -new -key rbaServerKey.pem -sha256 -out rbaServerCert.csr -config rbaServerCertReq.config
-
Enter the following command to review the CSR file:
openssl req -in rbaServerCert.csr -noout -text
-
Verify that the CSR file has a section such as the following:
In addition, make sure the common name field is set to the FQDN of the RBA server.Requested Extensions: X509v3 Subject Alternative Name: DNS:<FQDN of your RBA server>