OOKB - Olaf's Own Knowledge Base

This is an old revision of the document!

Creating certificates for OpenSearch

cd /etc/opensearch
mkdir certs.old
mkdir certs
chown opensearch:opensearch certs
chmod 600 certs
mv *.pem certs.old/
 
cd certs

Create the CA certificate

Generate a RSA key with 2048 bit length

openssl genrsa -out root-ca-openolaf-key.pem 2048

Generate a Root CA certificate signed with the gerated key valid for 5 years
At the end, it's only importnant that CN has a value - else possession of the key is important to sign client certificates

openssl req -new -x509 -sha256 -key root-ca-openolaf-key.pem -subj "/C=BE/ST=Hainaut/L=Mons/O=Olafs Lab/OU=IT/CN=openolaf" -out root-ca-openolaf.pem -days 1825

Create a certificate for the admin user

openssl genrsa -out openolaf-admin-key-tmp.pem 2048

Convert the key to PKCS#8

openssl pkcs8 -inform PEM -outform PEM -in openolaf-admin-key-tmp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out openolaf-admin-key.pem

#Create a CSR

openssl req -new -key openolaf-admin-key.pem -subj "/C=BE/ST=Hainaut/L=Mons/O=Olafs Lab/OU=IT/CN=admin" -out openolaf-admin.csr

#Sign the CSR

openssl x509 -req -in openolaf-admin.csr -CA root-ca-openolaf.pem -CAkey root-ca-openolaf-key.pem -CAcreateserial -sha256 -out openolaf-admin.pem -days 1825

Create the certificate for the node

openssl genrsa -out deb11-os-01-key-temp.pem 2048</code> # convert to PKCS#8 openssl pkcs8 -inform PEM -outform PEM -in deb11-os-01-key-temp.pem -topk8 -nocrypt -v1 PBE-SHA1-3DES -out deb11-os-01-key.pem</code> # Create CSR openssl req -new -key deb11-os-01-key.pem -subj “/C=BE/ST=Hainaut/L=Mons/O=Olafs Lab/OU=IT/CN=deb11-os-01” -out deb11-os-01.csr</code>

Create an extension file containing the Subject Alternate Names (SAN):

cat > deb11-os-01.ext
subjectAltName = @SAN
[SAN]
DNS.1 = deb11-os-01
IP.1 = 10.68.100.27

after the last line press <ctrl-d>

Generate the cerificate for the node

openssl x509 -req -in deb11-os-01.csr -CA root-ca-openolaf.pem -CAkey root-ca-openolaf-key.pem -CAcreateserial -sha256 -out deb11-os-01.pem -days 1825 -extfile deb11-os-01.ext

change the owner and permissions of the generated certificates and keys

chown opensearch:opensearch *.pem
chmod 600 *.pem

Back to installation_on_linux

OOKB - Olaf's Own Knowledge Base

User Tools

Site Tools

Sidebar

Creating certificates for OpenSearch

Create the CA certificate

Create a certificate for the admin user

Create the certificate for the node

Page Tools