JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 34

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 35

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Introduction

Users have a choice to use CA-signed certificates and self-signed certificates:

...

The article explains how to create self-signed certificates by use of OpenSSL. This utility ships with Linux and most Unix environments and is available for Windows environments. The below examples are focused on Unix.

Anchor
root_ca_certificate
root_ca_certificate
Creating the Root CA Certificate

The first step includes to create the root-ca.key private key file and the root-ca.crt self-signed certificate file for the Root CA both in PEM format. This step is performed just once.

...

  • Country Name: a 2 letter country code is expected as stated for example with https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2
  • State or Province Name: the name of a state is expected
  • Locality Name:  the name of a city is expected
  • Organization Name: arbitrary input is allowed
  • Organizational Unit Name: arbitrary input is allowed
  • Common Name: an arbitrary name can be chosen as the name of the Root CA
  • Email Address: empty input is allowed

Anchor
server_certificate
server_certificate
Creating a Server Certificate

For a given server the next steps includes to create a private key and Certificate Signing Request (CSR). The resulting server certificate will be signed. 

...

Code Block
titleOpenSSL configuration file openssl-cert.config
linenumberstrue
[ req ]
prompt             = no
distinguished_name = standard dn

[ standard dn ]
            commonName = somehost
           countryName = DE
          localityName = Berlin
      organizationName = SOS
organizationalUnitName = JS7
   stateOrProvinceName = Berlin

[ standard exts ]
extendedKeyUsage = serverAuth,clientAuth

Resources

Shell Scripts

As an alternative to running OpenSSL commands in an interactive shell a few scripts are provided that perform this task.

...

The sub-directories certs, csr and private will be created from the below scripts should they not exist.

Creating the Root CA Certificate

Download: create_root_ca.sh

...

  • --days
    • The lifetime of the certificate is specified by the number of days (default: 5475, matching approx. 15 years).
    • Consider that server certificates have to be renewed if the Root CA Certificate expires.

Creating a Server Certificate

Download: create_certificate.sh

...

  • --dns
    • The DNS hostname of the server that should be assigned the certificate. A server can be assigned more than one DNS hostname, for example the FQDN can extend the hostname. Only DNS hostnames that are added to the certificate can be used later on to establish secure HTTPS connections.
  • --days
    • The lifetime of the certificate is specified by the number of days (default: 5475, matching approx. 15 years).

...