-------------------
Valid as of 8.24.
-------------------
Here is how to create and sign a certificate using the FMOS Certificate Authority.
Start by creating a csr with 'fmos pki gen-csr'. Here are options available for this command:
fmos pki gen-csr -h
usage: fmos pki gen-csr [-h] [--ip-address] [--proxy-name DNS-NAME]
[--no-hostname] [--digest ALGORITHM]
(--use-key FILENAME | --new-key FILENAME)
[--key-type TYPE] [--key-size BITS]
[--unencrypted-key]
filename
positional arguments:
filename Path to new CSR file
optional arguments:
-h, --help show this help message and exit
--ip-address, --ip, -i
Include IP address(es) in the CSR
--proxy-name DNS-NAME, -n DNS-NAME
Include additional (e.g. proxy, load balancer) name(s)
in the CSR. Can be specified multiple times.
--no-hostname, -N Do not include the machine hostname/FQDN in the CSR
--digest ALGORITHM CSR signing digest algorithm
--use-key FILENAME, -k FILENAME
Path to existing private key file to use
--new-key FILENAME, -K FILENAME
Path to new private key file
--key-type TYPE, -t TYPE
Private key type (used with --new-key)
--key-size BITS, -b BITS
Private key length, in bits (used with --new-key)
--unencrypted-key Do not encrypt private key (used with --new-key)
For example:
fmos pki gen-csr newcsr.csr -K newkey.key -i -n san.fqdn.com -n another.fqdn.com
This will create a csr named newcsr.csr and a key file named newkey.key. Move the csr file to the server that holds the CA role. By default this is same server that holds the DB role.
Sign the csr with the 'fmos ca sign csrin certout'. Here are the options for this command:
fmos ca sign -h
usage: fmos ca sign [-h] [--days DAYS] [--digest ALGORITHM] csr certificate
positional arguments:
csr Path to CSR file to sign
certificate Path to new certificate file
optional arguments:
-h, --help show this help message and exit
--days DAYS, -d DAYS Length of the certificate validity period, in days
--digest ALGORITHM Certificate signing digest algorithm
For example:
fmos ca sign newcsr.csr newcert.cer --days 365
A certificate file name newcert.cer will be created and be valid for 365 days.
When signing a cert with the FMOS CA, you also need the FMOS root and intermediate certs to complete the chain. To get these files run the following commands, filenames are users choice:
fmos ca export-ca-cert --ca root rootfilename.cer
fmos ca export-ca-cert --ca server intermediate.cer
Move all certs back to the application server and import them using the following commands:
fmos pki import-ca rootfilename.cer
fmos pki import-server-cert newcert.cer newkey.key --chain intermediate.cer
Once the cert import has completed any remote DC will also have to run a 'fmos ecosystem refresh' to pull in the new certs.
Comments
0 comments
Article is closed for comments.