OOKB - Olaf's Own Knowledge Base

User Tools

Site Tools

Trace:
opensearch:generating_certificates

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
opensearch:generating_certificates [2023/01/31 21:34] – created olafopensearch:generating_certificates [2023/02/01 00:06] (current) – ↷ Links adapted because of a move operation olaf
Line 1: Line 1:
 +==== Creating certificates for OpenSearch ====
  
 +<code bash>
 +cd /etc/opensearch
 +mkdir certs.old
 +mkdir certs
 +chown opensearch:opensearch certs
 +chmod 600 certs
 +mv *.pem certs.old/
  
 +cd certs
 +</code>
  
 +=== Create the CA certificate ===
 +Generate a RSA key with 2048 bit length
 +<code bash>openssl genrsa -out root-ca-myopensearch-key.pem 2048</code>
 +Generate a Root CA certificate signed with the gerated key valid for 5 years\\
 +At the end, it's only importnant that CN has a value - else possession of the key is important to sign client certificates  
 +<code bash>openssl req -new -x509 -sha256 -key root-ca-myopensearch-key.pem -subj "/C=US/ST=TX/L=Dallas/O=TheBigBadWolf/OU=SheepPR/CN=my" -out root-ca-myopensearch.pem -days 1825</code>
  
-Back to [[opensearch:installation_on_linux]]+=== Create a certificate for the admin user === 
 +<code bash>openssl genrsa -out myopensearch-admin-key-tmp.pem 2048</code> 
 +Convert the key to PKCS#8 
 +<code bash>openssl pkcs8 -inform PEM -outform PEM -in myopensearch-admin-key-tmp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out myopensearch-admin-key.pem</code> 
 +#Create a CSR  
 +<code bash>openssl req -new -key myopensearch-admin-key.pem -subj "/C=US/ST=TX/L=Dallas/O=TheBigBadWolf/OU=SheepPR/CN=admin" -out myopensearch-admin.csr</code> 
 +#Sign the CSR 
 +<code bash>openssl x509 -req -in myopensearch-admin.csr -CA root-ca-myopensearch.pem -CAkey root-ca-myopensearch-key.pem -CAcreateserial -sha256 -out myopensearch-admin.pem -days 1825</code> 
 + 
 +=== Create the certificate for the node === 
 +openssl genrsa -out node-01-key-temp.pem 2048</code> 
 +Convert the key format to PKCS#8 
 +openssl pkcs8 -inform PEM -outform PEM -in node-01-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-01-key.pem</code> 
 +Create a CSR 
 +openssl req -new -key node-01-key.pem -subj "/C=US/ST=TX/L=Dallas/O=TheBigBadWolf/OU=SheepPR/CN=node-01"  -out node-01.csr</code> 
 + 
 +Create an extension file containing the Subject Alternate Names (SAN): 
 +<code bash> 
 +cat > node-01.ext 
 +subjectAltName = @SAN 
 +[SAN] 
 +DNS.1 = node-01 
 +IP.1 = 1.1.1.127 
 +</code> 
 +after the last line press <ctrl-d> 
 + 
 +Generate the cerificate for the node 
 +<code bash>openssl x509 -req -in node-01.csr -CA root-ca-myopensearch.pem -CAkey root-ca-myopensearch-key.pem -CAcreateserial -sha256 -out node-01.pem -days 1825 -extfile node-01.ext</code> 
 + 
 +change the owner and permissions of the generated certificates and keys 
 +<code bash> 
 +chown opensearch:opensearch *.pem 
 +chmod 600 *.pem 
 +</code> 
 + 
 +Back to [[opensearch:os_installation_linux]]
opensearch/generating_certificates.1675200840.txt.gz · Last modified: 2023/01/31 21:34 by olaf

Page Tools