To generate a self-signed certificate, you must use the openssl
utility to generate a private key and a self-signed certificate for that key.
The Tealeaf-pca
package provides the openssl utility in the directory /usr/local/ctccap/bin
.
The following steps assume that you logged in to the Passive Capture host machine as user root. To generate a self-signed certificate:
- Generate the private key. The following example generates a 2048-bit RSA key file named
example.key
:/usr/local/ctccap/bin/openssl genrsa -out example.key 2048
- Generate the self-signed certificate. The following example generates a self-signed certificate file named
example.crt
by using the private-key fileexample.key
generated in step 1. With option-days 365
, the certificate is valid for the next 365 days (one year):/usr/local/ctccap/bin/openssl req -x509 -days 365 -newkey rsa:2048 -key \ example.key -out example.crt
The
openssl req
command interactively prompts for various values. The following table displays the prompts and sample replies:Prompt Sample Reply Country Name (2 letter code) US
State or Province Name (full name) California
Locality Name (for example, city) San Francisco
Organization Name (for example, company) Acoustic Tealeaf
Organizational Unit Name (for example, section) Release Engineering
Common Name (for example, YOUR name) pca.mycompany.com
Email Address root@pca.mycompany.com
The common name must be the fully qualified DNS name of the Passive Capture host machine. If the host machine does not have a DNS name that is assigned to it, then use the IP address of the machine.
- Now, set the appropriate file ownership and permissions:
- All private key files must be readable only by the user account that needs read access to the file. The following
chmod
andchown
commands set the ownership and permissions so that only the capture processes running as userctccap
can access fileexample.key
:chmod go= example.key chown ctccap example.key
- Place the files in a directory accessible by the user account. For certificate and key files that are used by the Passive Capture software, place the files in directory
/usr/local/ctccap/etc
.
- All private key files must be readable only by the user account that needs read access to the file. The following
Using SHA-2 algorithm to generate the self-signed certificate
By default, the openssl
command uses the SHA-1 algorithm to generate the self-signed certificate on the PCA.
Optionally, you can use SHA-2 for the digital signature hash by adding the -sha256
option, as in the following command:
/usr/local/ctccap/bin/openssl req -x509 -sha256 -days 365 -newkey rsa:2048 \
-key example.key -out example.crt
If you are not PCA Build 3500 or later, you can be able to generate the SHA-2 key on another Linux™ system. To determine whether it is possible, run the following command in a non-PCA environment:
openssl dgst ?h
The following line can be displayed in the generated output:
-sha256 to use the sha256 message digest algorithm
If the previous command is displayed, then the Linux installation accepts the SHA-2 option. You can run the following command without providing the PCA-specific path:
openssl req -x509 -sha256 -days 365 -newkey rsa:2048 -key example.key -out \
example.crt
Generating a signed certificate request for an internal certificate authority
If you want to use your own internal certificate authority (CA) to generate a signed certificate, complete the following steps.
The following steps use the openssl
utility as the example utility, although other utilities can be used.
- Acquire a 2048-bit RSA private key. This key can be self-generated as in the following example, which uses the default PCA install path to access the PCA openssl command:
/usr/local/ctccap/bin/openssl genrsa -out example.key 2048
- Use the RSA private key to create the signed certificate request (CSR). If the key file is
example.key
, then the following command generates a CSR filecert_req.csr
:/usr/local/ctccap/bin/openssl req -config /usr/local/ctccap/ssl/openssl.cnf -new -key example.key -out cert_req.csr
If the previous command generates an error message that references
openssl.cnf
, then the PCA installation path to correctly locate theopenssl.cnf
file must be configured. In this case, you can apply the-config
option to define the new, non-default installation path. In the following example, this path is/opt/tealeaf
./opt/tealeaf/bin/openssl req -new -config /opt/tealeaf/ssl/openssl.cnf -key \ example.key -out cert_req.csr
- During generation of the CSR by using either of the previous commands, you are prompted for public certificate values.
- When the CSR file is successfully generated, it can be used by the internal CA to complete the process to create the signed certificate.
- The signed certificate file can now be applied in the same way as a self-signed certificate for PCA use.
Utility scripts for self-signed certificates
Tealeaf provides a script to make it easier to create self-signed certificates.
The full path to the script file is /usr/local/ctccap/sbin/gen-self-signed-cert.sh
. Specify the names of the new private key and certificate files as arguments to gen-self-signed-cert.sh
.
The script creates a 2048-bit RSA key file and a self-signed certificate that is valid for 10 years (3,650 days). The resulting files are owned by user ctccap
, and the private key is readable only by that user. See the following example.
/usr/local/ctccap/sbin/gen-self-signed-cert.sh example.key example.crt
Several self-signed certificates are created as part of the PCA installation process. If you change the host name of the PCA host server, you can regenerate all of these certificates by using the following command.
env FORCE=YES /usr/local/ctccap/sbin/all-self-signed-certs.sh
The previous command deletes and re-creates the following files:
/usr/local/ctccap/etc/tealeaf-pca.crt
/usr/local/ctccap/etc/tealeaf-pca.key
/usr/local/ctccap/etc/tealeaf-tts.crt
/usr/local/ctccap/etc/tealeaf-tts.key
/usr/local/ctccap/etc/tealeaf-tts.pem
/usr/local/ctccap/etc/tealeaf-web.crt
/usr/local/ctccap/etc/tealeaf-web.key