Certificates: Creating custom self-signed SSL certificates for CloudCenter

tuanngu4 — Mon, 10 Apr 2017 20:10:33 GMT

Summary:

By default, the CloudCenter Manager (CCM) appliance has a self-generated client certificate that resolves to example.com. The component of this certificate can be viewed while you are in the browsing session, often directly from the address bar. Since this certificate is self-generated and signed by an unknown provider, it may not be adequate if the CCM is being integrated into an enterprise ecosystem. The goal of this document is to explain the process to replace the default certificate with one that is signed either by a proper Private Key Infrastructure (PKI) or by a trusted public provider. To facilitate the comprehension of the end-to-end process, this document will contain the tasks to create the root certificate from the Certificate Authority (CA) as well as the signed client certificate. Within the appliance, the client SSL certificate is stored in the /usr/local/tomcat/conf/ssl directory and the file that references their usage is /usr/local/tomcat/conf/server.xml.

Create the certificates:

** The certificates generated by the following tasks are adequate only for testing purposes and/or internal usage

** These steps can be taken while logged on to the CCM

Create the certificate for the root CA

Generate the private key for the root CA
- openssl genrsa -des3 -out root-ca.key 2048
  - Determine your own passphrase

Generate the self-signed certificate for the root CA
- openssl req -new -x509 -days 3650 -key root-ca.key -out root-ca.crt
  - Enter the passphrase you used for the private key
    - Sample input

Country Name (2 letter code) [XX]:US

State or Province Name (full name) []:California

Locality Name (eg, city) [Default City]:San Francisco

Organization Name (eg, company) [Default Company Ltd]:My Organization

Organizational Unit Name (eg, section) []:My OrgUnit

Common Name (eg, your name or your server's hostname) []:sandbox.myorgunit.local

Email Address []:admin@myorgunit.local

Create the certificate for the server

Generate the private key for the server certificate
- openssl genrsa -des3 -out sandbox.key 2048
  - Optional - To remove the passphrase, type these commands:
    - cp sandbox.key sandbox.key.org
    - openssl rsa -in sandbox.key.org -out sandbox.key

Generate the CSR (Certificate Signing Request)
- openssl req –new –key sandbox.key –out sandbox.csr
  - Sample input

Country Name (2 letter code) [XX]:US

State or Province Name (full name) []:California

Locality Name (eg, city) [Default City]:San Francisco

Organization Name (eg, company) [Default Company Ltd]:My Organization

Organizational Unit Name (eg, section) []:My OrgUnit

Common Name (eg, your name or your server's hostname) []:sandbox.myorgunit.local

Email Address []:admin@myorgunit.local

Generate a new Self-Signed Certificate by using the root CA key
- openssl x509 –req –in sandbox.csr –CA root-ca.crt –CAkey root-ca.key –CAcreateserial -out sandbox.crt –days 3650

Place the newly created certificate in the proper directory on the CCM

Stop the Tomcat service

/etc/init.d/tomcat stop

Assuming your working directory is /tmp/certificates on the CCM

cp root-ca.crt sandbox.crt sandbox.key /usr/local/tomcat/conf/ssl

Change to the directory where the files are now stored and change the permissions of the new files

cd /usr/local/tomcat/conf/ssl
chown cliqruser:cliqruser root-ca.crt sandbox.crt sandbox.key

Edit the server.xml file to reflect the change in the location of the newly created certificate

Use vi to edit the file

vi /usr/local/tomcat/conf/server.xml

Find the section starting with <Connector port="10443" maxHttpHeaderSize=“8192” and modify the certificate name

Sample modification

<Connector port="10443" maxHttpHeaderSize="8192"

maxThreads="150"

enableLookups="false" disableUploadTimeout="true"

acceptCount="100" scheme="https" secure="true"

SSLEnabled="true"

SSLCertificateFile="${catalina.base}/conf/ssl/sandbox.crt"

SSLCertificateKeyFile="${catalina.base}/conf/ssl/sandbox.key"

compressableMimeType="text/html,text/xml,text/plain,application/javascript,application/json,text/javascript,text/css,application/css,image/x-icon,image/jpeg,image/png,image/svg+xml,application/x-shockwave-flash,application/x-java-jnlp-file,application/zip,application/x-font-ttf,application/x-font-opentype,application/x-font-woff,application/vnd.ms-fontobject" />

Start the Tomcat service

/etc/init.d/tomcat start

article Certificates: Creating custom self-signed SSL certificates for CloudCenter in Data Center and Cloud Knowledge Base

Certificates: Creating custom self-signed SSL certificates for CloudCenter