# Contents - **rootCA.key** is the key used to self-signed rootCA.pem - **rootCA.pem** is the certificate that will act as the **StackLight Root Authority** - **md5.txt** that contains the checksum of the two previous files The **rootCA.pem** is the one that you need to add to your client to authenticate certificates that will be signed by this certificate. The certificate has the following information: ``` Certificate: Data: Version: 3 (0x2) Serial Number: 10160165599701850419 (0x8d0028c8355f5933) Signature Algorithm: sha256WithRSAEncryption Issuer: C=FR, ST=Rhone-Alpes, L=Grenoble, O=Mirantis, OU=StackLight, CN=StackLight Root Authority/emailAddress=mirantis@example.com Validity Not Before: Jun 23 14:43:30 2016 GMT Not After : Oct 25 14:43:30 3015 GMT Subject: C=FR, ST=Rhone-Alpes, L=Grenoble, O=Mirantis, OU=StackLight, CN=StackLight Root Authority/emailAddress=mirantis@example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) ... ``` # Client settings To be able to validate the certificate generated by the **StackLight Root Authority** you need to download it into your web browser or pass it to the client by using the correct option. # Create a certificate To create a certificate you just need to run the script **create_certificate.sh** provided in this directory. You must pass the common name that will be used in the certificate by your plugin. For example if you need a certificate for the *Elasticsearch-Kibana* plugin and if you will access to server using the FQDN *kibana.fuel.local* you will generate the certificate by running: ``` create_certificate.sh kibana.fuel.local ``` It will create four files: - kibana.key: the private key - kibana.csr: the certificate singing request. The script will create a certificate with the following parameters: - Common Name: *kibana.fuel.local* (that parameter you gave to the script) - Organization: *Mirantis* - Organizational Unit: *Fuel plugins* - City: *Grenoble* - State: *Rhone-Alpes* - Country: *FR* - kibana.crt: The certificate signed by the StackLight authority - kibana.pem: The concatenation of the CRT certificate and the private key Only **kibana.pem** is needed for configuring the Fuel plugin. Currently you can only pass the common name as a parameter. If you don't want to use the script and prefer to do it manually, follow these steps: - Generate the key for the plugin _my-plugin_. ``` openssl genrsa -out my-plugin.key 2048 ``` - Create the certificate signing request. ``` openssl req -new -key my-plugin.key -out my-plugin.csr ``` Here is an example on how to fill the fields for the Grafana plugin where the choosen FQDN is _grafana.fuel.local_: ``` Country Name (2 letter code) [AU]:FR State or Province Name (full name) [Some-State]:Rhone-Alpes Locality Name (eg, city) []:Grenoble Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mirantis Organizational Unit Name (eg, section) []:Fuel plugins Common Name (e.g. server FQDN or YOUR name) []:grafana.fuel.local Email Address []:mirantis@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: ``` For _challenge password_ and _optional company_ just press enter. - Sign it with the CA root key. ``` openssl x509 -req -in my-plugin.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out my-plugin.crt -days 500 -sha256 ``` - Concatenate the certificate and the private key into a single file. ``` cat my-plugin.crt my-plugin.key > my-plugin.pem ```