To generate custom NSP TLS artifacts
Purpose
Perform this procedure to generate a set of TLS key and certificate files to provide as security artifacts in an NSP deployment.
The locations of the custom TLS files that the procedure generates are the required inputs to the ‘nspdeployerctl secret’ prompts when you create or update the custom TLS secret, as shown below:
where
customKey is the location of the private server key file extracted in Step 9
customCert—location of one of the following:
customCaCert—location of CA.pem key file obtained in Step 7
In addition, the CA key file location must be specified as shown below in the tls section of the NSP cluster configuration file:
customCaCert—location of CA.pem key file obtained in Step 7
Using the Java keytool utility
The procedure uses the Java keytool utility, which is included in each Java Development Kit, or JDK, and Java Runtime Environment, or JRE. The keytool utility is described on the Oracle website.
You can run the keytool command from any directory on an NSP deployer host or cluster VM. If the NSP is not yet deployed, ensure that the keytool utility on the station that you use is from the supported Java version specified in the NSP Planning Guide.
Note: The keytool utility that you use must be from the Java version that the NSP uses.
Note: You require root user privileges to run the keytool command.
Steps
Note: The Bash shell is the supported command shell for RHEL CLI operations.
Note: A leading # character in a command line represents the root user prompt, and is not to be included in a typed command.
Generate TLS certificate | |
1 |
Log in as the root user on the station that hosts the keytool utility. |
2 |
Open a console window. |
3 |
Generate a keystore file that contains the certificate. Note: A file path in the keystore_file value, or in the name of any file generated in a subsequent step, must not include /opt/nsp/os. If you do not include a path, the file is generated in the current working directory, which must not be below /opt/nsp/os. Note: You must enclose a password that contains a special character in single quotation marks; for example: -keypass 'Mypa$$word' -storepass 'Mypa$$word' # keytool -genkeypair -alias alias -keyalg RSA -keypass password -storepass password -keystore keystore_file -validity days -dname "CN=server_name, OU=org_unit, O=org_name, L=locality, S=state, C=country" -ext bc=ca:true -ext san=DNS:DNS_name↵ where alias is a case-insensitive alias that is required for subsequent keytool operations password is the password for the key and keystore Note: The keypass and storepass passwords must be identical. keystore_file is the name of the keystore file to generate days is the number of days for which the certificate is to be valid server_name is the common name or hostname of the server org_unit is a department or division name org_name is a company name locality is a city name state is a state or region name country is a country code, for example, US DNS_name is the DNS-resolvable server hostname or FQDN Note: A custom certificate is unique to an NSP cluster; in a DR deployment, each cluster requires a unique, cluster-specific SAN entry. Note: Multiple server SAN entries are separated using semicolons; for example: san=DNS:DNS_name_1;DNS:DNS_name_2 Note: In an NSP deployment that includes NFM-P, uses separate client and internal interfaces, and does not use mTLS, the SAN field must also include the internal advertised address of the NSP cluster. The address to include is one of the following in the platform—ingressApplications—ingressController section of the config.yml file on the local NSP deployer host: In the internalAddresses subsection, if configured, otherwise, in the clientAddresses subsection: If mTLS is used between the NSP and NFM-P in such a deployment, you do not need to include the internal NSP address in the SAN field. |
4 |
Record the alias and password values that you specify. |
Export certificate | |
5 |
Enter the following to export the certificate from the keystore to a certificate file: Note: You must enclose a password that contains a special character in single quotation marks; for example: -storepass 'Mypa$$word' # keytool -export -alias alias -keystore keystore_file -storepass password -file certificate_file ↵ where alias is the alias specified during keystore creation keystore_file is the source keystore file, for example, /opt/samserver.keystore password is the keystore password certificate_file is the name of the certificate file to generate |
Generate and submit CSR | |
6 |
Generate a certificate signing request, or CSR.
|
7 |
Send the CSR file to a CA for authentication. The CA returns the following certificate files that contain a trusted root certificate in a hierarchical certificate chain. |
Generate NSP cluster TLS artifacts | |
8 |
Enter the following to convert the keystore to PKCS12 format: # keytool -importkeystore -noprompt -srckeystore keystore_file -destkeystore file_name.pkcs12 -deststoretype PKCS12 -deststorepass storepass -destkeypass keypass -srcstorepass storepass -srckeypass keypass -alias alias ↵ where alias is the keystore alias keystore_file is the keystore file generated in Step 3 file_name is the name of the new keystore file in PKCS12 format keypass is the keystore password storepass is the truststore password |
9 |
Enter the following to extract the private key from the PKCS12 keystore to a file: # openssl pkcs12 -in file_name.pkcs12 -passin pass:keypass -nodes -nocerts -descert -out private_key.key ↵ where file_name is the name of the keystore file in PKCS12 format private_key is the name to assign to the private key file |
10 |
If you are using an intermediate CA, enter the following to generate the chained server .pem file: # cat server.pem ca-chained.pem > server-chained.pem ↵ Note: The certificate order is important; the server certificate must be first in the chain of certificates in the file in order for the NSP installer to read the certificates correctly. |
11 |
If the NSP deployment does not include the NFM-P, go to Step 14. |
Generate NFM-P TLS artifacts | |
12 |
Enter the following to import the certificate to a truststore file. Note: If the certificate is signed by a CA, you must import the entire CA chain of certificates to the truststore file; see the CA documentation for information about importing trusted certificates. Note: You must enclose a password that contains a special character in single quotation marks; for example: -storepass 'Mypa$$word' # path/keytool -import -trustcacerts -alias alias -file certificate_file -keystore truststore_file -storepass password ↵ where alias is the keystore alias certificate_file is the self-signed or CA certificate file truststore_file is the truststore file that is to hold the certificate password is the truststore password |
13 |
Enter the following to import the certificate to a keystore file Note: You must import the entire CA chain of certificates to the keystore file; see the CA documentation for information about importing trusted certificates. Note: You must enclose a password that contains a special character in single quotation marks; for example: -storepass 'Mypa$$word' # path/keytool -import -trustcacerts -alias alias -file certificate_file -keystore keystore_file -storepass password ↵ where alias is the keystore alias certificate_file is the CA certificate file keystore_file is the keystore file that is to hold the certificate password is the keystore password |
14 |
Close the console window. End of steps |