Skip to content

Latest commit

 

History

History
81 lines (73 loc) · 2.8 KB

proc_creating-a-custom-ssl-certificate.adoc

File metadata and controls

81 lines (73 loc) · 2.8 KB

Creating a Custom SSL Certificate for {ProductName}

Use this procedure to create a custom SSL certificate for {ProductName}. If you already have a custom SSL certificate for {ProductName}, skip this procedure.

On {ProjectServer}, create a custom certificate for your {ProductName}. If you already have a custom SSL certificate for {ProductName}, skip this procedure.

Procedure

  1. To store all the source certificate files, create a directory that is accessible only to the root user:

    # mkdir /root/{context}_cert

  2. Create a private key with which to sign the certificate signing request (CSR).

    Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.

    If you already have a private key for this {ProductName}, skip this step.

    # openssl genrsa -out /root/{context}_cert/{context}_cert_key.pem 4096

  3. Create the /root/{context}_cert/openssl.cnf configuration file for the CSR and include the following content:

    [ req ]
req_extensions = v3_req
distinguished_name = req_distinguished_name
x509_extensions = usr_cert
prompt = no

[ req_distinguished_name ]
CN = {context}.example.com

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
subjectAltName = @alt_names

[ usr_cert ]
basicConstraints=CA:FALSE
nsCertType = client, server, email
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

[ alt_names ]
DNS.1 = {context}.example.com

  4. Generate CSR:

    # openssl req -new \
-key /root/{context}_cert/{context}_cert_key.pem \ (1)
-config /root/{context}_cert/openssl.cnf \ (2)
-out /root/{context}_cert/{context}_cert_csr.pem (3)

    1. Path to the private key.

    2. Path to the configuration file.

    3. Path to the CSR to generate.

  5. Send the certificate signing request to the certificate authority (CA). The same CA must sign certificates for {ProjectServer} and {SmartProxyServer}.

    When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the CA for the preferred method. In response to the request, you can expect to receive a CA bundle and a signed certificate, in separate files.