5.1.9 Generating Server Certificates and Trusted Certificates
OAA uses SSL for communication. For production environments it is recommended to use a commercially available certificate, traceable to a trusted Certificate Authority. For OAA sandbox environments, the OAA installation can generate self-signed certificates which have a validity period of 6 months.
If you want to use self-signed certificates you can skip this section.
If you want to use a commercial certificate then follow:
Note:
Administrators should be aware that certificates have expiry dates. The expiry date of commercial certificates vary, and self-signed certificates expire after 6 months. It is recommend to renew the certificates about one month before expiry. For more information, see Certificate Management and Expiry.5.1.9.1 Using a Third Party CA for Generating Certificates
The following steps show how to use a third party Certificate Authority (CA) for generating your certificates:
- On the <INSTALL_HOST> create an
oaassl
directory in <WORKDIR> and navigate to the folder, for example:mkdir /workdir/oaassl cd /workdir/oaassl
- Generate a 4096 bit private key (
oaa.key
) for the server certificate:openssl genrsa -out oaa.key 4096
- Create a Certificate Signing Request (
oaa.csr
):
When prompted enter details to create your Certificate Signing Request (CSR). For example:openssl req -new -key oaa.key -out oaa.csr
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:California Locality Name (eg, city) [Default City]:Redwood City Organization Name (eg, company) [Default Company Ltd]:Example Company Organizational Unit Name (eg, section) []:Security Common Name (eg, your name or your server's hostname) []:oaa.example.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
- Send the CSR (
oaa.csr
) to the third party CA. - Once you receive the certificate from the CA, rename the file to
oaa.pem
and copy it to the <WORKDIR>/oaa_ssl
directory.Note:
The certificateoaa.pem
needs to be in PEM format. If not in PEM format convert it to PEM using openssl. For example, to convert from DER format to PEM:openssl x509 -inform der -in oaa.der -out oaa.pem
- Copy the Trusted Root CA certificate (
rootca.pem
), and any other CA certificates in the chain (rootca1.pem
,rootca2.pem
, etc) that signed theoaa.pem
to the<WORKDIR>/oaa_ssl
directory. As per above, the CA certificates must be in PEM format, so convert if necessary. - If your CA has multiple certificates in a chain, create a
bundle.pem
that contains all the CA certificates:cat rootca.pem rootca1.pem rootca2.pem >>bundle.pem
- Create a Trusted Certificate PKCS12 file (
trust.p12
) from the CA file(s). If your CA does not have a certificate chain, replacebundle.pem
withrootca.pem
:
When prompted enter and verify the Export Password.openssl pkcs12 -export -out trust.p12 -nokeys -in bundle.pem
Note:
Setting an export password is mandatory. - Create a Server Certificate PKCS12 file (
cert.p12
). If your CA does not have a certificate chain, replacebundle.pem
withrootca.pem
in the following command :
When prompted enter and verify the Export Password.openssl pkcs12 -export -out cert.p12 -inkey oaa.key -in oaa.pem -chain -CAfile bundle.pem
Note:
Setting an export password is mandatory. - Copy the
cert.p12
andtrust.p12
to the <WORKDIR>, for example:cp /workdir/oaassl/*.p12 /workdir/
Note:
In releases prior to December 24 you also had to import the OAM certificates to thetrust.p12
. From
December 24 onwards, this action is no longer required as the installation will
download the correct certificates from OAM and import them for you.
5.1.9.2 Configuration Checkpoint
- Before proceeding make sure you have the following
information:
Note:
If you intend to use self-signed certificates created by the installation, you can ignore this section.Variable Your Value Sample Value Description <USER_CERT_P12> /workdir/cert.p12
The location of the <WORKDIR>/ cert.p12
on the <INSTALL_HOST>. This is only required if you generated third party certificates.<USER_CERT_P12_PWD> password
The password for the cert.p12
. This is only required if you generated third party certificates.<TRUST_CERT_P12> /workdir/trust.p12
The location of the <WORKDIR>/ trust.p12
on the <INSTALL_HOST>. This is only required if you generated third party certificates.<TRUST_CERT_P12_PWD> password
The password for the trust.p12
. This is only required if you generated third party certificates.