Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Issuing Certificates

  1. Set up a CA server.
    1. Select a server as the CA server and prepare the directories for the CA server to issue certificates. 
      mkdir -p /home/ca_server
cd /home/ca_server/
mkdir demoCA
cp /etc/pki/tls/openssl.cnf ./
mkdir ./demoCA/newcerts  ./demoCA/private ./demoCA/certs
chmod 777 ./demoCA/private/
echo 01 > ./demoCA/serial
touch ./demoCA/index.txt
    2. Change dir in the CA_default option in the openssl.cnf file to the CA server directory.
      1. Set dir to /home/ca_server/demoCA/. 
        vi openssl.cnf

      2. Press Esc, type :wq!, and press Enter to save the settings and exit.
    3. Generate a CA private key and CA certificate. 
      openssl genrsa  -out ca.key 3072
openssl req -new -x509 -days 3650 -sha1 -extensions v3_ca  -key ca.key  -out ca.crt   -subj "/C=CN/ST=shenzhen/L=shenzhen/O=Huawei/OU=Huawei/CN=CA1"  -config ./openssl.cnf
cp ca.key demoCA/private/cakey.pem
cp ca.crt demoCA/cacert.pem
    4. Check whether the CA certificate is CA:TRUE. 
      openssl x509 -in ca.crt -noout -text

  2. Issue certificates.

    After Exporting CSR Files is performed, the CSR files of the daemon and haf_user are transferred to the corresponding issuing paths on the remote CA server. The prefix is the MAC address of the exported CSR file.

    To obtain the MAC address, run ifconfig | grep ether | awk 'NR==1' | awk '{print $2}'. An example command output is 68:4x:xx:xx:xx:aa, and the character string after the colons (:) are deleted is the MAC address.

    [root@agent3]# ll /home/ca_server/
total 32K
-rw------- 1 root root 1.5K Nov 17 09:07 844xxxxxxxbbdaemon.csr
-rw-rw---- 1 root root 1.5K Nov 17 09:07 844xxxxxxxbbhaf_user.csr
-rw-r--r-- 1 root root 1.7K Nov 17 10:24 ca.crt
-rw------- 1 root root 2.5K Nov 17 10:24 ca.key
drwxr-xr-x 5 root root 4.0K Nov 17 15:32 demoCA
-rw-r--r-- 1 root root  11K Nov 17 10:23 openssl.cnf
    • Manual issuing
      To issue the haf_user and daemon certificates, run the following commands respectively in the corresponding CA server certificate issuing paths: 
      openssl ca -policy policy_anything  -extensions v3_req -out 844xxxxxxxbbhaf_user.crt  -config openssl.cnf -days 3650 -cert ca.crt -keyfile ca.key -infiles 84xxxxxxx2bbhaf_user.csr

openssl ca -policy policy_anything  -extensions v3_req -out 844xxxxxxxbbdaemon.crt  -config openssl.cnf -days 3650 -cert ca.crt -keyfile ca.key -infiles 844xxxxxxxbbdaemon.csr
      Table 1 Parameters description

      Option

      Value

      -out

      Output certificate file.

      NOTE:

      The prefix of the certificate file name must be the same as that of the CSR file.

      -config

      Configuration file.

      -days

      Certificate validity period.

      -cert

      CA certificate for issuing certificates.

      NOTE:

      The CA certificate must be named ca.crt, which will be used in the subsequent certificate import steps.

      -keyfile

      CA private key file.

      -infiles

      CSR files to be processed.

      NOTE:

      The name of an issued certificate must be the same as the corresponding CSR file.
    • Automatic issuing

      The script can be used to automatically issue certificates. The main functions and implementation are as follows:

      1. Checks whether new CSR files are generated in the certificate generation directory in real time.
      2. Issues the new CSR files and generates .crt files with the same prefix with the corresponding CSR file in the current directory. For example, the corresponding .crt file name of service.csr is service.crt. 
        # Check whether new CSR files are generated in the directory and sign the files.
cert_path=/home/ca_server/
inotifywait -m -e create "${cert_path}"| while read path action file
do
    if [[ "$file" =~ .*csr$ ]]; then # Does the file end with .csr?
        echo "Find new csr file "
        cert_name=$path$file
        echo ${cert_name}
        prefix_name="${cert_name%.*}"
        echo ${prefix_name}
        cd ${cert_path}
        openssl ca -batch -policy policy_anything -extensions v3_req  -out $prefix_name.crt -days 3650 -config ${cert_path}/openssl.cnf -cert ${cert_path}/ca.crt -keyfile ${cert_path}/ca.key -infiles ${cert_name}
    rm -rf ${cert_name}
    fi
    echo "End"
done
      3. If the preceding automatic certificate issuing script is started, you can obtain the issued certificates from the certificate issuing path after the export. The corresponding CSR files on the CA server are automatically deleted. 
        [root@ca_server]# ll /home/ca_server/
total 40K
-rw-r--r-- 1 root root 5.6K Nov 17 15:44 8446fe73b2bbdaemon.crt
-rw-r--r-- 1 root root 5.6K Nov 17 15:44 8446fe73b2bbhaf_user.crt
-rw-r--r-- 1 root root 1.7K Nov 17 10:24 ca.crt
-rw------- 1 root root 2.5K Nov 17 10:24 ca.key
drwxr-xr-x 5 root root 4.0K Nov 17 15:44 demoCA
-rw-r--r-- 1 root root  11K Nov 17 10:23 openssl.cnf