JS7 JobScheduler

Space shortcuts

Page tree

Versions Compared

Old Version 8

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version 9

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The first step includes to create a private key (root-ca.key) and self-signed certificate (root-ca.crt) for the Root CA both in PEM format.   This step is performed just once. In case of repeated execution a new Root CA Certificate will be created and server certificates will have to be renewed.

Run OpenSSL commands

Code Block
languagebash
titleCreate Root CA Certificate
linenumberstrue
# step 1 Generate Certificate Authority (CA) Private Key
openssl ecparam -name prime256v1 -genkey -noout -out root-ca.key

# step 2: Generate Certificate Authority Certificate
openssl req -new -x509 -sha256 -key root-ca.key -out root-ca.crt

...

The second step includes to create for a given server a private key and certificate request (CSR). The resulting server certificate will be signed. 

This step is performed for each server certificate that should be created.

Replace Run the following commands from a bash shell and replace the value of the SERVER variable with the hostname or FQDN for which the certificate should be created:

...

In order to run the script successfully the following openssl-cert.config file has to be present. To create a new server certificate the CommonName attribute has to hold be adjusted. The attribute holds the hostname of the server for which the certificate should be created:

Code Block
titleOpenSSL configuration file openssl-cert.config
linenumberstrue
[ req ]
prompt             = no
distinguished_name = standard dn

[ standard dn ]
            commonName = apmaccssomehost
           countryName = DE
          localityName = Berlin
      organizationName = SOS
organizationalUnitName = JS7
   stateOrProvinceName = Berlin

[ standard exts ]
extendedKeyUsage = serverAuth,clientAuth

Resources

Shell Scripts

As an alternative to running OpenSSL commands in an interactive shell some scripts are provided that perform this task.

...

Code Block
titleRun .create_root_ca.sh shell script
linenumberstrue
./create_root_ca.sh

...

  • Download: create_certificate.sh
  • The shell script is executed with two arguments:
    • The DNS hostname of the server that should receive the certificate. A server can be assigned more than one DNS hostname, for example its FQDN can be different. All DNS hostnames have to be added to the certificate in order to secure connections.
    • The lifetime of the certificate specified by the number of days.

Code Block
titleRun .create_certificate.sh shell script
linenumberstrue
./create_certificate.sh --dns=<server-hostname>[,<server-hostname>]> --days=<number-of-days>

...