x/stacklight-integration-tests
Code Issues Proposed changes
stacklight-integration-tests/fixtures/https/Readme.md
Guillaume Thouvenin 1aadb186aa Add script to generate certificate for plugins 
This patch adds a script that generates a certificate signed by
the StackLight authority. The PEM file generated can be used to
configure plugins with HTTPs support.

Change-Id: I6ad092fa197d5d61a03f721304c8d9fe6d0a3ee1
2016-06-28 09:43:28 +02:00

100 lines
3.6 KiB
Markdown
Raw Blame History

# Contents
- **rootCA.key** is the key used to self-signed rootCA.pem
- **rootCA.pem** is the certificate that will act as the **StackLight Root Authority**
- **md5.txt** that contains the checksum of the two previous files
The **rootCA.pem** is the one that you need to add to your client to
authenticate certificates that will be signed by this certificate.
The certificate has the following information:
```
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10160165599701850419 (0x8d0028c8355f5933)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=FR, ST=Rhone-Alpes, L=Grenoble, O=Mirantis, OU=StackLight, CN=StackLight Root Authority/emailAddress=mirantis@example.com
Validity
Not Before: Jun 23 14:43:30 2016 GMT
Not After : Oct 25 14:43:30 3015 GMT
Subject: C=FR, ST=Rhone-Alpes, L=Grenoble, O=Mirantis, OU=StackLight, CN=StackLight Root Authority/emailAddress=mirantis@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
...
```
# Client settings
To be able to validate the certificate generated by the **StackLight Root
Authority** you need to download it into your web browser or pass it to
the client by using the correct option.
# Create a certificate
To create a certificate you just need to run the script
**create_certificate.sh** provided in this directory. You must pass the common
name that will be used in the certificate by your plugin. For example if you
need a certificate for the *Elasticsearch-Kibana* plugin and if you will
access to server using the FQDN *kibana.fuel.local* you will generate the
certificate by running:
```
create_certificate.sh kibana.fuel.local
```
It will create four files:
- kibana.key: the private key
- kibana.csr: the certificate singing request. The script will create a
certificate with the following parameters:
- Common Name: *kibana.fuel.local* (that parameter you gave to the script)
- Organization: *Mirantis*
- Organizational Unit: *Fuel plugins*
- City: *Grenoble*
- State: *Rhone-Alpes*
- Country: *FR*
- kibana.crt: The certificate signed by the StackLight authority
- kibana.pem: The concatenation of the CRT certificate and the private key
Only **kibana.pem** is needed for configuring the Fuel plugin. Currently you
can only pass the common name as a parameter.
If you don't want to use the script and prefer to do it manually, follow these
steps:
- Generate the key for the plugin _my-plugin_.
```
openssl genrsa -out my-plugin.key 2048
```
- Create the certificate signing request.
```
openssl req -new -key my-plugin.key -out my-plugin.csr
```
Here is an example on how to fill the fields for the Grafana plugin where
the choosen FQDN is _grafana.fuel.local_:
```
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:Rhone-Alpes
Locality Name (eg, city) []:Grenoble
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mirantis
Organizational Unit Name (eg, section) []:Fuel plugins
Common Name (e.g. server FQDN or YOUR name) []:grafana.fuel.local
Email Address []:mirantis@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
```
For _challenge password_ and _optional company_ just press enter.
- Sign it with the CA root key.
```
openssl x509 -req -in my-plugin.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out my-plugin.crt -days 500 -sha256
```
- Concatenate the certificate and the private key into a single file.
```
cat my-plugin.crt my-plugin.key > my-plugin.pem
```
View Git Blame Copy Permalink