JS7 JobScheduler

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Introduction


Prerequisites

The below scripts assume the following directory layout:

  • <ca>  The directory <ca> is a placeholder. Any directory can be used.
    • create_root_ca.sh
    • create_certificate.sh
    • certs
    • csr
    • private

Users should create the directories certs, csr and private like this:

Create directories for Certificate Authority
mkdir certs csr private

Create Root CA Certificate

This step includes to create a private key (root-ca.key) and self-signed certificate (root-ca.crt) both in PEM format. As a result the following files will be created:

  • <ca>/certs/root-ca.crt
  • <ca>/private/root-ca.key

This step is performed just once. In case of repeated execution a new Root CA Certificate will be created and server certificates will have to be renewed.

Run .create_root.sh shell script
./create_root.sh
Shell script create_root_ca.sh 
#!/bin/bash

# Create Root CA private key and certificate

set -e

CA_HOME=$(dirname "$0")
CA_HOME=$(cd "${CA_HOME}" >/dev/null && pwd)

CA_CERTS=${CA_HOME}/certs
CA_PRIVATE=${CA_HOME}/private

# step 1 Generate Certificate Authority (CA) Private Key
openssl ecparam -name prime256v1 -genkey -noout -out ${CA_PRIVATE}/root-ca.key

# step 2: Generate Certificate Authority Certificate
openssl req -new -x509 -sha256 -key ${CA_PRIVATE}/root-ca.key -out ${CA_CERTS}/root-ca.crt


Create Server Certificate

This step includes to create a private key and certificate request (CSR). The resulting server certificate will be signed. 

This step is performed for each server certificate that should be created:

  • Download: create_certificate.sh
  • The shell script is executed with a single argument: the hostname of the server that should receive the certificate. 

Run .create_root.sh shell script
./create_certificate.sh <server-hostname>
Shell script create_certificate.sh
#!/bin/bash

# Create certificate for Server Authentication and Client Authentication

set -e

CA_HOME=$(dirname "$0")
CA_HOME=$(cd "${CA_HOME}" >/dev/null && pwd)

CA_CERTS=${CA_HOME}/certs
CA_CSR=${CA_HOME}/csr
CA_PRIVATE=${CA_HOME}/private


# Specify server for which the certificate should be created
SERVER=$1

# Create required sub-directories
mkdir -p ${CA_CERTS} ${CA_csr} ${CA_PRIVATE}


# Step 1 - Generate Private Key and Certificate Signing Request
openssl req -new -config ${CA_HOME}/openssl-cert.config -extensions 'standard exts' -nodes \
    -days 7300 -newkey rsa:4096 -keyout ${CA_PRIVATE}/${SERVER}.key -out ${CA_CSR}/${SERVER}.csr

# Step 2 - Generate and Sign the Server Certificate
openssl x509 -req \
    -in ${CA_CSR}/${SERVER}.csr \
    -CA ${CA_CERTS}/root-ca.crt \
    -CAkey ${CA_PRIVATE}/root-ca.key \
    -CAcreateserial \
    -out ${CA_CERTS}/${SERVER}.crt -days 7300 \
    -extfile <(printf "subjectAltName=DNS:apmaccs,DNS:apmaccs.sos\nnsCertType = client, server\nkeyUsage = digitalSignature, keyEncipherment\nextendedKeyUsage = serverAuth, clientAuth\n")


In order to run the script successfully the following openssl-cert.config file has to be present.

OpenSSL configuration file openssl-cert.config
[ req ]
prompt             = no
distinguished_name = standard dn

[ standard dn ]
            commonName = apmaccs
           countryName = DE
          localityName = Berlin
      organizationName = SOS
organizationalUnitName = JS7
   stateOrProvinceName = Berlin

[ standard exts ]
extendedKeyUsage = serverAuth,clientAuth
  • No labels