stacklight-integration-tests/fixtures/https/Readme.md
Guillaume Thouvenin 1aadb186aa Add script to generate certificate for plugins
This patch adds a script that generates a certificate signed by
the StackLight authority. The PEM file generated can be used to
configure plugins with HTTPs support.

Change-Id: I6ad092fa197d5d61a03f721304c8d9fe6d0a3ee1
2016-06-28 09:43:28 +02:00

3.6 KiB

Contents

  • rootCA.key is the key used to self-signed rootCA.pem
  • rootCA.pem is the certificate that will act as the StackLight Root Authority
  • md5.txt that contains the checksum of the two previous files

The rootCA.pem is the one that you need to add to your client to authenticate certificates that will be signed by this certificate.

The certificate has the following information:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 10160165599701850419 (0x8d0028c8355f5933)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=FR, ST=Rhone-Alpes, L=Grenoble, O=Mirantis, OU=StackLight, CN=StackLight Root Authority/emailAddress=mirantis@example.com
        Validity
            Not Before: Jun 23 14:43:30 2016 GMT
            Not After : Oct 25 14:43:30 3015 GMT
        Subject: C=FR, ST=Rhone-Alpes, L=Grenoble, O=Mirantis, OU=StackLight, CN=StackLight Root Authority/emailAddress=mirantis@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
    ...

Client settings

To be able to validate the certificate generated by the StackLight Root Authority you need to download it into your web browser or pass it to the client by using the correct option.

Create a certificate

To create a certificate you just need to run the script create_certificate.sh provided in this directory. You must pass the common name that will be used in the certificate by your plugin. For example if you need a certificate for the Elasticsearch-Kibana plugin and if you will access to server using the FQDN kibana.fuel.local you will generate the certificate by running:

create_certificate.sh kibana.fuel.local

It will create four files:

  • kibana.key: the private key
  • kibana.csr: the certificate singing request. The script will create a certificate with the following parameters:
    • Common Name: kibana.fuel.local (that parameter you gave to the script)
    • Organization: Mirantis
    • Organizational Unit: Fuel plugins
    • City: Grenoble
    • State: Rhone-Alpes
    • Country: FR
  • kibana.crt: The certificate signed by the StackLight authority
  • kibana.pem: The concatenation of the CRT certificate and the private key

Only kibana.pem is needed for configuring the Fuel plugin. Currently you can only pass the common name as a parameter.

If you don't want to use the script and prefer to do it manually, follow these steps:

  • Generate the key for the plugin my-plugin.
openssl genrsa -out my-plugin.key 2048
  • Create the certificate signing request.
openssl req -new -key my-plugin.key -out my-plugin.csr

Here is an example on how to fill the fields for the Grafana plugin where the choosen FQDN is grafana.fuel.local:

Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:Rhone-Alpes
Locality Name (eg, city) []:Grenoble
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mirantis
Organizational Unit Name (eg, section) []:Fuel plugins
Common Name (e.g. server FQDN or YOUR name) []:grafana.fuel.local
Email Address []:mirantis@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

For challenge password and optional company just press enter.

  • Sign it with the CA root key.
openssl x509 -req -in my-plugin.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out my-plugin.crt -days 500 -sha256
  • Concatenate the certificate and the private key into a single file.
cat my-plugin.crt my-plugin.key > my-plugin.pem