Procedure 3.6. Prepare config file

1. Modify the penssl.cnf config file and add a line to the [ v3_req ] section:

             # cd ~/ssl/root/ca
             # vi openssl.cnf
             find v3_req
             Add the following line:
             subjectAltName = DNS:public.your_server_name.your_domain.com, DNS: cluster-control.your_domain.com
             At the bottom of the file create section server_cert with the follwing:
             [ server_cert ]
             subjectAltName = subjectAltName = DNS:public.your_server_name.your_domain.com, DNS: cluster-control.your_domain.com
           

2. The first DNS name would be used if you only have a single node controller as you need the public URL for that server in your cluster. For example, public.db8-ae-ed-77-14-9e.susedojo.com. If you have a haproxy setup for your cluster or pacemaker, you have a cluster URL. For example, you may have public.cluster.your_domain.com and you need to have cluster.your_domain.com and public.cluster.your_domain.com as Alternative DNS names. This public URL can be used for all endpoints unless you have multiple High Availability Clusters for your control plane.

3. Save and close the file after you have those entered correctly.

Procedure 3.7. Create a key

• Create a key minus the -aes256 option so that you are not presented with a password each time you restart a service. (i.e. Apache service) also in 2048 bit so it is quicker to decrypt.

             # cd ~/ssl/root/ca
             # openssl genrsa -out private/susedojo-com.key.pem 2048
             # chmod 400 private/susedojo-com.key.pem
           

Procedure 3.8. Create a certificate

1. Use the private key we just created to create a certificate signing request (CSR). The common name must be a fully qualified domain name (i.e. www.susedojo.com) The Organization Name must be the same as the Organization Name in the CA.

               # cd ~/ssl/root/ca
               # openssl req -config openssl.cnf -key private/susedojo-com.key.pem -new -sha256 -out csr/susedojo-com.csr.pem
               You are about to be asked to enter information that will be incorporated
               into your certificate request.
               -----
               Country Name (2 letter code) [XX]:US
               State or Province Name []:Idaho
               Locality Name []:Meridian
               Organization Name []:SUSEDojo
               Organizational Unit Name []:dojo
               Common Name []:susedojo.com
               Email Address []:admin@susedojo.com
             

   Note

   You may be prompted for a challenge password and company name. This can be left blank.

2. Create the certificate using the CA to sign the CSR, using the server_cert extension as this will be used on a server. We will give it one year of validity.

               # cd ~/ssl/root/ca
               # openssl ca -config openssl.cnf -extensions server_cert -days 365 -notext -md sha256 -in  csr/susedojo-com.csr.pem -out certs/susedojo-com.cert.pem
                 Using configuration from openssl.cnf
                 Enter pass phrase for /root/ssl/root/ca/private/cakey.pem:
                 Check that the request matches the signature
                 Signature ok
                         Serial Number: 4096 (0x1000)
                         Validity
                           Not Before: Aug  8 04:21:08 2018 GMT
                           Not After: Aug  8 04:21:08 2019 GMT
                        Subject:
                             countryName               = US
                             stateOrProvinceName       = Idaho
                             organizationName          = SUSEDojo
                             organizationalUnitName    = dojo
                             commonName                = susedojo.com
                             emailAddress              = admin@susedojo.com
                        X509v3 extensions:
                            X509v3 Basic Constraints:
                               CA:FALSE
                           X509v3 Key Usage:
                                 Digital Signature, Non Repudiation, Key Encipherment
                            X509v3 Subject Alternative Name:
                                DNS:public.db8-ae-ed-77-14-9e.susedojo.com
               Certificate is to be certified until Aug  8 04:21:08 2019 GMT (365 days)
               Sign the certificate? [y/n]:y
   
               1 out of 1 certificate requests certified, commit? [y/n]y
               Write out database with 1 new entries
               Data Base Updated
   
               # chmod 444 certs/susedojo-com.cert.pem
             

3. The index.txt file should now contain a line referring to the new certificate that has been created. For example, the output should look like the following:

               V       190808042108Z           1000    unknown
               /C=US/ST=Idaho/O=SUSEDojo/OU=dojo/CN=susedojo.com/emailAddress=admin@susedojo.com
             

Procedure 3.9. Verifying the certificate

1. Enter the following in your terminal:

                # openssl x509 -noout -text -in certs/susedojo-com.cert.pem
              

2. You will notice the Issuer is the CA and you can also see the Subject Alternative Name as well in the extensions section.

                # openssl verify -CAfile cacert.pem certs/susedojo-com.cert.pem
                certs/susedojo-com.cert.pem: OK