This patch adds a script that generates a certificate signed by the StackLight authority. The PEM file generated can be used to configure plugins with HTTPs support. Change-Id: I6ad092fa197d5d61a03f721304c8d9fe6d0a3ee1
3.6 KiB
Contents
- rootCA.key is the key used to self-signed rootCA.pem
- rootCA.pem is the certificate that will act as the StackLight Root Authority
- md5.txt that contains the checksum of the two previous files
The rootCA.pem is the one that you need to add to your client to authenticate certificates that will be signed by this certificate.
The certificate has the following information:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10160165599701850419 (0x8d0028c8355f5933)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=FR, ST=Rhone-Alpes, L=Grenoble, O=Mirantis, OU=StackLight, CN=StackLight Root Authority/emailAddress=mirantis@example.com
Validity
Not Before: Jun 23 14:43:30 2016 GMT
Not After : Oct 25 14:43:30 3015 GMT
Subject: C=FR, ST=Rhone-Alpes, L=Grenoble, O=Mirantis, OU=StackLight, CN=StackLight Root Authority/emailAddress=mirantis@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
...
Client settings
To be able to validate the certificate generated by the StackLight Root Authority you need to download it into your web browser or pass it to the client by using the correct option.
Create a certificate
To create a certificate you just need to run the script create_certificate.sh provided in this directory. You must pass the common name that will be used in the certificate by your plugin. For example if you need a certificate for the Elasticsearch-Kibana plugin and if you will access to server using the FQDN kibana.fuel.local you will generate the certificate by running:
create_certificate.sh kibana.fuel.local
It will create four files:
- kibana.key: the private key
- kibana.csr: the certificate singing request. The script will create a
certificate with the following parameters:
- Common Name: kibana.fuel.local (that parameter you gave to the script)
- Organization: Mirantis
- Organizational Unit: Fuel plugins
- City: Grenoble
- State: Rhone-Alpes
- Country: FR
- kibana.crt: The certificate signed by the StackLight authority
- kibana.pem: The concatenation of the CRT certificate and the private key
Only kibana.pem is needed for configuring the Fuel plugin. Currently you can only pass the common name as a parameter.
If you don't want to use the script and prefer to do it manually, follow these steps:
- Generate the key for the plugin my-plugin.
openssl genrsa -out my-plugin.key 2048
- Create the certificate signing request.
openssl req -new -key my-plugin.key -out my-plugin.csr
Here is an example on how to fill the fields for the Grafana plugin where the choosen FQDN is grafana.fuel.local:
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:Rhone-Alpes
Locality Name (eg, city) []:Grenoble
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mirantis
Organizational Unit Name (eg, section) []:Fuel plugins
Common Name (e.g. server FQDN or YOUR name) []:grafana.fuel.local
Email Address []:mirantis@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
For challenge password and optional company just press enter.
- Sign it with the CA root key.
openssl x509 -req -in my-plugin.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out my-plugin.crt -days 500 -sha256
- Concatenate the certificate and the private key into a single file.
cat my-plugin.crt my-plugin.key > my-plugin.pem