OOKB - Olaf's Own Knowledge Base

User Tools

Site Tools

Trace:
opensearch:generating_certificates

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
opensearch:generating_certificates [2023/01/31 21:59] – Added the content olafopensearch:generating_certificates [2023/02/01 00:06] (current) – ↷ Links adapted because of a move operation olaf
Line 14: Line 14:
 === Create the CA certificate === === Create the CA certificate ===
 Generate a RSA key with 2048 bit length Generate a RSA key with 2048 bit length
-<code bash>openssl genrsa -out root-ca-openolaf-key.pem 2048</code>+<code bash>openssl genrsa -out root-ca-myopensearch-key.pem 2048</code>
 Generate a Root CA certificate signed with the gerated key valid for 5 years\\ Generate a Root CA certificate signed with the gerated key valid for 5 years\\
 At the end, it's only importnant that CN has a value - else possession of the key is important to sign client certificates   At the end, it's only importnant that CN has a value - else possession of the key is important to sign client certificates  
-<code bash>openssl req -new -x509 -sha256 -key root-ca-openolaf-key.pem -subj "/C=BE/ST=Hainaut/L=Mons/O=Olafs Lab/OU=IT/CN=openolaf" -out root-ca-openolaf.pem -days 1825</code>+<code bash>openssl req -new -x509 -sha256 -key root-ca-myopensearch-key.pem -subj "/C=US/ST=TX/L=Dallas/O=TheBigBadWolf/OU=SheepPR/CN=my" -out root-ca-myopensearch.pem -days 1825</code>
  
 === Create a certificate for the admin user === === Create a certificate for the admin user ===
-<code bash>openssl genrsa -out openolaf-admin-key-tmp.pem 2048</code>+<code bash>openssl genrsa -out myopensearch-admin-key-tmp.pem 2048</code>
 Convert the key to PKCS#8 Convert the key to PKCS#8
-<code bash>openssl pkcs8 -inform PEM -outform PEM -in openolaf-admin-key-tmp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out openolaf-admin-key.pem</code>+<code bash>openssl pkcs8 -inform PEM -outform PEM -in myopensearch-admin-key-tmp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out myopensearch-admin-key.pem</code>
 #Create a CSR  #Create a CSR 
-<code bash>openssl req -new -key openolaf-admin-key.pem -subj "/C=BE/ST=Hainaut/L=Mons/O=Olafs Lab/OU=IT/CN=admin" -out openolaf-admin.csr</code>+<code bash>openssl req -new -key myopensearch-admin-key.pem -subj "/C=US/ST=TX/L=Dallas/O=TheBigBadWolf/OU=SheepPR/CN=admin" -out myopensearch-admin.csr</code>
 #Sign the CSR #Sign the CSR
-<code bash>openssl x509 -req -in openolaf-admin.csr -CA root-ca-openolaf.pem -CAkey root-ca-openolaf-key.pem -CAcreateserial -sha256 -out openolaf-admin.pem -days 1825</code>+<code bash>openssl x509 -req -in myopensearch-admin.csr -CA root-ca-myopensearch.pem -CAkey root-ca-myopensearch-key.pem -CAcreateserial -sha256 -out myopensearch-admin.pem -days 1825</code>
  
 === Create the certificate for the node === === Create the certificate for the node ===
-openssl genrsa -out deb11-os-01-key-temp.pem 2048</code> +openssl genrsa -out node-01-key-temp.pem 2048</code> 
-# convert to PKCS#8 +Convert the key format to PKCS#8 
-openssl pkcs8 -inform PEM -outform PEM -in deb11-os-01-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out deb11-os-01-key.pem</code> +openssl pkcs8 -inform PEM -outform PEM -in node-01-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out node-01-key.pem</code> 
-Create CSR +Create CSR 
-openssl req -new -key deb11-os-01-key.pem -subj "/C=BE/ST=Hainaut/L=Mons/O=Olafs Lab/OU=IT/CN=deb11-os-01"  -out deb11-os-01.csr</code>+openssl req -new -key node-01-key.pem -subj "/C=US/ST=TX/L=Dallas/O=TheBigBadWolf/OU=SheepPR/CN=node-01"  -out node-01.csr</code>
  
 Create an extension file containing the Subject Alternate Names (SAN): Create an extension file containing the Subject Alternate Names (SAN):
 <code bash> <code bash>
-cat > deb11-os-01.ext+cat > node-01.ext
 subjectAltName = @SAN subjectAltName = @SAN
 [SAN] [SAN]
-DNS.1 = deb11-os-01 +DNS.1 = node-01 
-IP.1 = 10.68.100.27+IP.1 = 1.1.1.127
 </code> </code>
 after the last line press <ctrl-d> after the last line press <ctrl-d>
  
 Generate the cerificate for the node Generate the cerificate for the node
-<code bash>openssl x509 -req -in deb11-os-01.csr -CA root-ca-openolaf.pem -CAkey root-ca-openolaf-key.pem -CAcreateserial -sha256 -out deb11-os-01.pem -days 1825 -extfile deb11-os-01.ext</code>+<code bash>openssl x509 -req -in node-01.csr -CA root-ca-myopensearch.pem -CAkey root-ca-myopensearch-key.pem -CAcreateserial -sha256 -out node-01.pem -days 1825 -extfile node-01.ext</code>
  
 change the owner and permissions of the generated certificates and keys change the owner and permissions of the generated certificates and keys
Line 54: Line 54:
 </code> </code>
  
-Back to [[opensearch:installation_on_linux]]+Back to [[opensearch:os_installation_linux]]
opensearch/generating_certificates.1675202399.txt.gz · Last modified: 2023/01/31 21:59 by olaf

Page Tools