Creating certificates

You need to create a root certificate, as well as a user certificate for the components of the user identity service.

You can create the necessary certificates using a certification authority or on your own using the OpenSSL and keytool utilities.

To create certificates using the OpenSSL and keytool utilities:

  1. On the primary node, create a directory for storing SSL certificates and change to this directory by running the following commands:

    mkdir ssl

    cd ssl

  2. Create a root certificate:
    1. Create a root certificate key named ca_key.pem by running the following command:

      openssl genpkey -algorithm RSA -out ca_key.pem -pkeyopt rsa_keygen_bits:4096

    2. Create a root certificate named ca.pem and sign it with the generated key by running the following command:

      openssl req -x509 -new -key ca_key.pem \

      -subj "<certificate parameters>" \

      -addext "basicConstraints=critical,CA:TRUE" \

      -addext "keyUsage=critical,keyCertSign" \

      -days 3650 -out ca.pem

    3. Pack the certificate in P12 format into a trusted store using the keytool utility:

      keytool -import -file ca.pem -alias ca -keystore ca.p12

  3. Create the user certificate:
    1. Create a certificate key named uaws_key.pem by running the following command:

      openssl genpkey -algorithm RSA -out uaws_key.pem -pkeyopt rsa_keygen_bits:4096

    2. Create a certificate named uaws.pem and sign it with the generated key and root certificate by running the following command:

      openssl req -x509 -new -key uaws_key.pem \

      -subj "<certificate parameters>" \

      -addext "subjectAltName=DNS:collector,DNS:collector.<Microsoft Active Directory domain>,DNS:mapapp,DNS:mapapp.<Microsoft Active Directory domain>,DNS:groupapp,DNS:groupapp.<Microsoft Active Directory domain>,DNS:uaws,DNS:uaws.<Microsoft Active Directory domain>" \

      -addext "basicConstraints=critical,CA:FALSE" \

      -CA ca.pem \

      -CAkey ca_key.pem \

      -out uaws.pem \

      -days 365

    3. Pack the certificate in P12 format in a trusted store by running the following command:

      openssl pkcs12 -export -in uaws.pem -out uaws.p12 -name collector -inkey uaws_key.pem

Page top