Chapter 3. Generate SUSE OpenStack Cloud Self Signed Certificate
Prev	Operations Guide Crowbar	Next

Chapter 3. Generate SUSE OpenStack Cloud Self Signed Certificate

Table of Contents

Create the CA Root Pair
Sign server and client certificates
Deploying the certificate
Generate Public Certificate using Let’s Encrypt

The purpose of this document is to help set up SSL Support for several services in SUSE OpenStack Cloud. The scope of this document covers all public endpoints in your OpenStack cluster. In most cases you want to have a Secure CA or External CA where your certificates are signed. You will sign with either a public CA or self signed CA, and include x509 extensions for Subject Alt Names since there might be a highly available control plane with alternate names.

Create the CA Root Pair

This section demonstrates how to create the certificate on the crowbar or admin node of the SUSE OpenStack Cloud Cluster.

Note

To avoid external access to your CA Root Pair, put it on an air-gapped system that is permanently isolated from the internet and unplug any cables from the ethernet port.

Procedure 3.1. Prepare the directory structure

Create a directory for your CA Root pair:

           # ssh root@crowbar
           # mkdir -p ~/ssl/root/ca

Create a directory structure and add index.txt and serial files to act as flat database of all signed certificates:

           # cd ~/ssl/root/ca
           # mkdir certs crl newcerts private csr
           # chmod 700 private
           # touch index.txt
           # echo 1000 > serial

Procedure 3.2. Prepare the configuration file

This procedure takes you through the full set up. Note that when you setup the crowbar server, there is a structure already setup under /etc/ssl. This is where SUSE Linux typically contains the CA cert bundle created through YaST when the SMT server is set up. However, if you are using an external SMT server you will not have this.

Copy /etc/ssl/openssl.cnf file to your setup. We can use this since it is completely annotated.
```
           # cp /etc/ssl/openssl.cnf ./
         
```
Edit the file and change the location variable:
```
           dir = /root/ssl/root/ca
           # Where everything is kept
         
```
Note
Make sure dir is the directory where we created /root/ssl/root/ca.

Procedure 3.3. Create the root key

Create the root key encrypted with AES 256-bit encryption and a password, using 4096 bits for the creation.

          # cd ~/ssl/root/ca
          # openssl genrsa -aes256 -out private/cakey.pem 4096

You will be asked to enter a password here and then verify it.

          # chmod 400 private/cakey.pem

Procedure 3.4. Create the root certificates

Use the root key (cakey.pem) to create the root certificate (cacert.pem). Its important to give it a long expiration since all the certificates signed from it will become invalid when it expires.

           # cd ~/ssl/root/ca
           # openssl req -config openssl.cnf -key private/cakey.pem -new -x509 -days 10950 -sha256 -extensions v3_ca -out cacert.pem
           Enter pass phrase for cakey.pem: enteryourpassword
           You are about to be asked to enter information that will be incorporated
           into your certificate request.
           -----
           Country Name (2 letter code) [AU]:US
           State or Province Name []:Idaho
           Locality Name []:Meridian
           Organization Name []:SUSEDojo
           Organizational Unit Name []:dojo
           Common Name []:susedojo.com
           Email Address []:admin@susedojo.com

           # chmod 444 cacert.pem

Procedure 3.5. Verify the root certificates

Verify the certificate has the correct dates of validity and the algorithm used, Issuer, Subject, and x509v3 extensions. The issuer and subject are the same since it is self signed.
```
          # cd ~/ssl/root/ca
          # openssl x509 -noout -text -in cacert.pem
        
```

Prev	Up	Next
Chapter 2. GPU passthrough	Home	Sign server and client certificates