To generate custom TLS certificates for NFM-P

Purpose

This procedure applies only to NFM-P.

Perform one of the following procedures to generate a set of TLS key and certificate files to provide as security artifacts on NFM-P in an NSP deployment.

You can apply NFM-P certificates when:

  • installing or upgrading NFM-P

  • a certificate is about to expire or is expired

  • a component is added to or replaced in the NSP system

  • a component IP address changes

See appropriate procedures in this guide and “NSP TLS administration overview” in the NSP System Administrator Guide for more information.

Using the Java keytool utility

The procedure uses the Java keytool utility, which is included in each Java Development Kit, or JDK, and Java Runtime Environment, or JRE. The keytool utility is described on the Oracle website.

Note: You require root user privileges to run the keytool command.

To generate and apply NFMP TLS certificates using keystore and truststore files

Note: The Bash shell is the supported command shell for RHEL CLI operations.

Note: A leading # character in a command line represents the root user prompt, and is not to be included in a typed command.

Generate TLS certificate
 

Log in as the root user on the station.

Open a console window.

Generate a keystore file that contains the certificate.

Note: A file path in the keystore_file value, or in the name of any file generated in a subsequent step, must not include /opt/nsp/os. If you do not include a path, the file is generated in the current working directory, which must not be below /opt/nsp/os.

Note: You must enclose a password that contains a special character in single quotation marks; for example:

-keypass 'Mypa$$word' -storepass 'Mypa$$word'

Note: You can enter a DNS or IP address as the SAN server entry.

Enter one of the following commands:

keytool -genkeypair -alias alias -keyalg RSA -keypass password -storepass password -keystore keystore_file -validity days -dname "CN=server_name, OU=org_unit, O=org_name, L=locality, S=state, C=country" -ext bc=ca:false -ext san=IP:IP_address,DNS:DNS_name

where

alias is a case-insensitive alias that is required for subsequent keytool operations

password is the password for the key and keystore

Note: The keypass and storepass passwords must be identical.

keystore_file is the name of the keystore file to generate

days is the number of days for which the certificate is to be valid

server_name is the common name or hostname of the server

org_unit is a department or division name

org_name is a company name

locality is a city name

state is a state or region name

country is a country code, for example, US

IP_address is the server IP address

DNS_name is the hostname or FQDN; the hostname or FQDN must be resolvable by DNS

Export certificate
 

Enter the following to export the certificate from the keystore to a certificate file:

Note: You must enclose a password that contains a special character in single quotation marks; for example:

-storepass 'Mypa$$word'

keytool -export -alias alias -keystore keystore_file -storepass password -file certificate_file

where

alias is the alias specified during keystore creation

keystore_file is the keystore file generated in Step 3

password is the keystore password in Step 3

certificate_file is the name of the certificate file to generate

Generate and submit CSR
 

Generate a certificate signing request, or CSR.

Note: You can enter a DNS or IP address as the SAN server entry

  1. Enter one of the following:

    path/keytool -certreq -alias alias -keystore keystore_file -file CSR_file -storetype JKS -ext san=IP:IP_address,DNS:DNS_name -ext ExtendedKeyUsage=serverAuth,clientAuth ↵

    where

    alias is the keystore alias

    keystore_file is the keystore file generated in Step 3

    CSR_file is the name of the CSR file to generate

    IP_address is the server IP address used in Step 3

    DNS_name is the hostname or FQDN; the hostname or FQDN must be resolvable by DNS used in Step 3

    The following prompt is displayed:

    Enter keystore password:

  2. Enter the keystore password.

    The utility generates a CSR file.

Send the CSR file to a CA for authentication. The CA returns the following certificate files that contain a trusted root certificate in a hierarchical certificate chain.

  • server.pem—public server key

  • CA.pem—public CA key

Note: The TLS certificate file type needs to be PEM certificate (base64 format) to integrate with NSP. Ensure that certificate files are converted to PEM format as needed.

If you are using an intermediate CA, enter the following to generate the chained server .pem file:

cat server.pem ca-chained.pem > server-chained.pem ↵

Note: The certificate order is important; the server certificate must be first in the chain of certificates in the file in order for the NSP installer to read the certificates correctly.

Import TLS certificates into NFM-P keystore and truststore files
 

Import the root CA certificate into keystore,

keytool -import -trustcacerts -alias alias -file ca-chained.pem -keystore keystore_file -storepass password

where

alias is the alias for the root certificate

keystore_file is the keystore file generated in Step 3

password is the keystore password in Step 3

Import the certificate chain into keystore,

keytool -import -trustcacerts -alias alias -file server-chained.pem -keystore keystore_file -storepass password

where

alias is the keystore alias in Step 3

keystore_file is the keystore file generated in Step 3

password is the keystore password in Step 3

10 

Import the root CA certificate into truststore.

keytool -import -trustcacerts -alias alias -file ca-chained.pem -keystore truststore_file -storepass password

where

alias is the alias for the root certificate in ca-chained.pem.

truststore_file is the truststore file

password is the truststore password

11 

Enter the following to convert the keystore to PKCS12 format:

keytool -importkeystore -noprompt -srckeystore keystore_file -destkeystore file_name.pkcs12 -deststoretype PKCS12 -deststorepass storepass -destkeypass keypass -srcstorepass storepass -srckeypass keypass -alias alias

where

alias is the keystore alias in Step 3

keystore_file is the keystore file generated in Step 3

file_name is the name of the new keystore file in PKCS12 format

keypass is the keystore password

storepass is the truststore password

12 

Enter the following to extract the private key from the PKCS12 keystore to a file:

openssl pkcs12 -in file_name.pkcs12 -passin pass:keypass -nodes -nocerts -descert -out private_key.key ↵

where

file_name is the name of the keystore file in PKCS12 format

private_key is the name to assign to the private key file

13 

As required, perform the required NFM-P TLS configuration described in “NSP component TLS configuration” in the NSP System Administrator Guide.

Apply updated keystore and truststore files to NFM-P configuration
 
14 

Enter the following:

samconfig -m main ↵

The following is displayed:

Start processing command line inputs...

<main>

15 

Configure the keystore and truststore files.

Enter the following:

<main>configure tls ↵

<main configure tls> keystore-file /path/keystore_file

<main configure tls> keystore-pass keystore_password

<main configure tls> truststore-file /path/truststore_file

<main configure tls> truststore-pass truststore_password

<main configure tls> alias alias

<main configure tls> exit ↵

where

path is the location of the keystore_file or truststore_file

keystore_file and keystore_password are from Step 9

truststore_file and truststore_password are from Step 10

alias is from Step 3

16 

Enter the following:

<main> apply ↵

The configuration is applied.

17 

You can verify the configuration was applied by entering the following:

<main configure tls> show ↵

The output shows the following:

  • value for regen-from-pem-cert is false

  • correct alias is configured

  • values for private-key, public-certificate, and ca-certificate are empty

  • values for the keystore and truststore files and passwords are empty

18 

Enter the following:

<main> exit ↵

The samconfig utility closes.

19 

Close the console window.

End of steps

To apply NFMP TLS certificates using private key and public certificates
 

Log in as the root user on the station.

Open a console window.

Enter the following:

samconfig -m main ↵

The following is displayed:

Start processing command line inputs...

<main>

Enter the following:

<main> configure tls ↵

The prompt changes to <main configure tls>.

Note: When you enter the following to check the security configuration:

<main configure tls> show ↵

the values for private-key, public-certificate, and ca-certificate are empty.

Enter the following to generate the certificates:

<main configure tls> regen-from-pem-cert ↵

<main configure tls> private-key path/filename.key

<main configure tls> public-certificate path/filename.pem

<main configure tls> ca-certificate path/filenameCa.pem

where

path is the location of the file in the command

filename.key is the name to assign to the private key file

filename.pem is the name to assign to the public certificate file

filenameCa.pem is the name to assign to the public trusted CA certificate file

Enter the following to display the generated certificates:

<main configure tls> show ↵

Output like the following is displayed:

tls : Security Configuration

    regen-from-pem-cert   : true

    private-key           : /extra/NFMP_Key_4096/nfmp_custSigned.key

    public-certificate    : /extra/NFMP_Key_4096/nfmp_custSigned.pem

    ca-certificate        : /extra/NFMP_Key_4096/nfmp_custSignedCa.pem

Enter the following:

<main configure tls> exit ↵

The prompt changes to <main>.

Enter the following:

<main> apply ↵

The configuration is applied.

You can verify the configuration was applied by entering the following:

<main configure tls> show ↵

  • the value for regen-from-pem-cert is false

  • the values for private-key, public-certificate, and ca-certificate are empty

10 

Enter the following:

<main> exit ↵

The samconfig utility closes.

11 

Close the console window.

End of steps