To generate a self-signed certificate, you must use the openssl utility to generate a private key and a self-signed certificate for that key.
The Tealeaf-pca package provides the openssl utility in the directory /usr/local/ctccap/bin.
The following steps assume that you logged in to the Passive Capture host machine as user root. To generate a self-signed certificate:
- Generate the private key. The following example generates a 2048-bit RSA key file named
example.key:/usr/local/ctccap/bin/openssl genrsa -out example.key 2048 - Generate the self-signed certificate. The following example generates a self-signed certificate file named
example.crtby using the private-key fileexample.keygenerated in step 1. With option-days 365, the certificate is valid for the next 365 days (one year):/usr/local/ctccap/bin/openssl req -x509 -days 365 -newkey rsa:2048 -key \ example.key -out example.crtThe
openssl reqcommand interactively prompts for various values. The following table displays the prompts and sample replies:Prompt Sample Reply Country Name (2 letter code) USState or Province Name (full name) CaliforniaLocality Name (for example, city) San FranciscoOrganization Name (for example, company) Acoustic TealeafOrganizational Unit Name (for example, section) Release EngineeringCommon Name (for example, YOUR name) pca.mycompany.comEmail Address root@pca.mycompany.comThe common name must be the fully qualified DNS name of the Passive Capture host machine. If the host machine does not have a DNS name that is assigned to it, then use the IP address of the machine.
- Now, set the appropriate file ownership and permissions:
- All private key files must be readable only by the user account that needs read access to the file. The following
chmodandchowncommands set the ownership and permissions so that only the capture processes running as userctccapcan access fileexample.key:chmod go= example.key chown ctccap example.key - Place the files in a directory accessible by the user account. For certificate and key files that are used by the Passive Capture software, place the files in directory
/usr/local/ctccap/etc.
- All private key files must be readable only by the user account that needs read access to the file. The following
Using SHA-2 algorithm to generate the self-signed certificate
By default, the openssl command uses the SHA-1 algorithm to generate the self-signed certificate on the PCA.
Optionally, you can use SHA-2 for the digital signature hash by adding the -sha256 option, as in the following command:
/usr/local/ctccap/bin/openssl req -x509 -sha256 -days 365 -newkey rsa:2048 \
-key example.key -out example.crt
If you are not PCA Build 3500 or later, you can be able to generate the SHA-2 key on another Linux™ system. To determine whether it is possible, run the following command in a non-PCA environment:
openssl dgst ?h
The following line can be displayed in the generated output:
-sha256 to use the sha256 message digest algorithm
If the previous command is displayed, then the Linux installation accepts the SHA-2 option. You can run the following command without providing the PCA-specific path:
openssl req -x509 -sha256 -days 365 -newkey rsa:2048 -key example.key -out \
example.crt
Generating a signed certificate request for an internal certificate authority
If you want to use your own internal certificate authority (CA) to generate a signed certificate, complete the following steps.
The following steps use the openssl utility as the example utility, although other utilities can be used.
- Acquire a 2048-bit RSA private key. This key can be self-generated as in the following example, which uses the default PCA install path to access the PCA openssl command:
/usr/local/ctccap/bin/openssl genrsa -out example.key 2048 - Use the RSA private key to create the signed certificate request (CSR). If the key file is
example.key, then the following command generates a CSR filecert_req.csr:/usr/local/ctccap/bin/openssl req -config /usr/local/ctccap/ssl/openssl.cnf -new -key example.key -out cert_req.csrIf the previous command generates an error message that references
openssl.cnf, then the PCA installation path to correctly locate theopenssl.cnffile must be configured. In this case, you can apply the-configoption to define the new, non-default installation path. In the following example, this path is/opt/tealeaf./opt/tealeaf/bin/openssl req -new -config /opt/tealeaf/ssl/openssl.cnf -key \ example.key -out cert_req.csr - During generation of the CSR by using either of the previous commands, you are prompted for public certificate values.
- When the CSR file is successfully generated, it can be used by the internal CA to complete the process to create the signed certificate.
- The signed certificate file can now be applied in the same way as a self-signed certificate for PCA use.
Utility scripts for self-signed certificates
Tealeaf provides a script to make it easier to create self-signed certificates.
The full path to the script file is /usr/local/ctccap/sbin/gen-self-signed-cert.sh. Specify the names of the new private key and certificate files as arguments to gen-self-signed-cert.sh.
The script creates a 2048-bit RSA key file and a self-signed certificate that is valid for 10 years (3,650 days). The resulting files are owned by user ctccap, and the private key is readable only by that user. See the following example.
/usr/local/ctccap/sbin/gen-self-signed-cert.sh example.key example.crt
Several self-signed certificates are created as part of the PCA installation process. If you change the host name of the PCA host server, you can regenerate all of these certificates by using the following command.
env FORCE=YES /usr/local/ctccap/sbin/all-self-signed-certs.sh
The previous command deletes and re-creates the following files:
/usr/local/ctccap/etc/tealeaf-pca.crt
/usr/local/ctccap/etc/tealeaf-pca.key
/usr/local/ctccap/etc/tealeaf-tts.crt
/usr/local/ctccap/etc/tealeaf-tts.key
/usr/local/ctccap/etc/tealeaf-tts.pem
/usr/local/ctccap/etc/tealeaf-web.crt
/usr/local/ctccap/etc/tealeaf-web.key