Creating an Intermediate Key and Certificate

This appendix details the process for creating an intermediate key and certificate (cert) file. It contains the following sections:

 

Best Practice: Note that in order to import an intermediate (user) certificate, the Transformation Hub must be deployed (and the user certificate imported), undeployed, and then re-deployed to pick up the certificate change. We recommend that you perform this procedure when Transformation Hub is first installed to avoid downtime and data loss.

In outline, your initial Transformation Hub deployment would then consist of these steps:

  1. Install OMT
  2. Deploy Transformation Hub with default settings
  3. Perform the operations described here to create the intermediate certificate (detailed below).
  4. From the OMT UI, uninstall the Transformation Hub.
  5. After the Transformation Hub is uninstalled, redeploy the Transformation Hub.
  6. Configure your pre-deployment parameters (such as Client Authentication or FIPS) as desired.

To obtain the contents of the RE certificate, use the following script:

   ${CDF_HOME}/scripts/cdf-updateRE.sh

However, the CA (certificate authority) private key is not available. Therefore, in order to create a signed certificate, you will need to create and use an intermediate key and CA.

Create a New CA Certificate (example)

  1. Make the directory and configure:
   mkdir /root/ca
   cd /root/ca
   mkdir certs crl newcerts private
   chmod 700 private
   touch index.txt
   echo 1000 > serial 
  1. Open the configuration file in a text editor (vi /root/ca/intermediate/openssl.cnf), and then add the following contents (values shown are examples; change parameter values to match yours):
   # OpenSSL root CA configuration file.
   # Copy to `/root/ca/openssl.cnf`.
   [ ca ]
   default_ca = CA_default
   [ CA_default ]
   # Directory and file locations.
   dir               = /root/ca
   certs             = $dir/certs
   crl_dir           = $dir/crl
   new_certs_dir     = $dir/newcerts
   database          = $dir/index.txt
   serial            = $dir/serial
   RANDFILE          = $dir/private/.rand
   # The root key and root certificate.
   private_key       = $dir/private/ca.key.pem
   certificate       = $dir/certs/ca.cert.pem
   # For certificate revocation lists.
   crlnumber         = $dir/crlnumber
   crl               = $dir/crl/ca.crl.pem
   crl_extensions    = crl_ext
   default_crl_days  = 30
   # SHA-1 is deprecated, so use SHA-2 instead.
   default_md        = sha256
   name_opt          = ca_default
   cert_opt          = ca_default
   default_days      = 375
   preserve          = no
   policy            = policy_strict
  [ policy_strict ]
   # The root CA should only sign intermediate certificates that match.
   # See the POLICY FORMAT section of `man ca`.
   countryName             = match
   stateOrProvinceName     = match
   organizationName        = match
   organizationalUnitName  = optional
   commonName              = supplied
   emailAddress            = optional
   [ policy_loose ]
   # Allow the intermediate CA to sign a more diverse range of certificates.
   # See the POLICY FORMAT section of the `ca` man page.
   countryName             = optional
   stateOrProvinceName     = optional
   localityName            = optional
   organizationName        = optional
   organizationalUnitName  = optional
   commonName              = supplied
   emailAddress            = optional
   [ req ]
   # Options for the `req` tool (`man req`).
   default_bits        = 2048
   distinguished_name  = req_distinguished_name
   string_mask         = utf8only
   # SHA-1 is deprecated, so use SHA-2 instead.
   default_md          = sha256
   # Extension to add when the -x509 option is used.
   x509_extensions     = v3_ca
   [ req_distinguished_name ]
   countryName                     = Country
   stateOrProvinceName             = State
   localityName                    = Locality
   0.organizationName              = EntCorp
   organizationalUnitName          = OrgName
   commonName                      = Common Name
   emailAddress                    = Email Address
   # Optionally, specify some defaults.
   countryName_default             = <your country code>
   stateOrProvinceName_default     = <your state or province>
   localityName_default            =
   0.organizationName_default      = <your company name>
   organizationalUnitName_default  =
   emailAddress_default            =
   [ v3_ca ]
   # Extensions for a typical CA (`man x509v3_config`).
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid:always,issuer
   basicConstraints = critical, CA:true
   keyUsage = critical, digitalSignature, cRLSign, keyCertSign
   [ v3_intermediate_ca ]
   # Extensions for a typical intermediate CA (`man x509v3_config`).
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid:always,issuer
   basicConstraints = critical, CA:true, pathlen:0
   keyUsage = critical, digitalSignature, cRLSign, keyCertSign
   [ usr_cert ]
   # Extensions for client certificates (`man x509v3_config`).
   basicConstraints = CA:FALSE
   nsCertType = client, email
   nsComment = "OpenSSL Generated Client Certificate"
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid,issuer
   keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
   extendedKeyUsage = clientAuth, emailProtection
   [ server_cert ]
   # Extensions for server certificates (`man x509v3_config`).
   basicConstraints = CA:FALSE
   nsCertType = server
   nsComment = "OpenSSL Generated Server Certificate"
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid,issuer:always
   keyUsage = critical, digitalSignature, keyEncipherment
   extendedKeyUsage = serverAuth
   [ crl_ext ]
   # Extension for CRLs (`man x509v3_config`).
   authorityKeyIdentifier=keyid:always
   [ ocsp ]
   # Extension for OCSP signing certificates (`man ocsp`).
   basicConstraints = CA:FALSE
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid,issuer
   keyUsage = critical, digitalSignature
   extendedKeyUsage = critical, OCSPSigning
  1. Generate the new CA root key:
   cd /root/ca
   openssl genrsa -out private/ca.key.pem 4096
   chmod 400 private/ca.key.pem
  1. Create the new CA cert:
   openssl req -config openssl.cnf \
  -key private/ca.key.pem \
  -new -x509 -days 365 -sha256 -extensions v3_ca \
  -out certs/ca.cert.pem
  1. Verify the root CA:

    chmod 444 certs/ca.cert.pem
    openssl x509 -noout -text -in certs/ca.cert.pem

Create a New Intermediate Key and Certificate

  1. Make the directory and configure:
   mkdir /root/ca/intermediate/
   cd /root/ca/intermediate
   mkdir certs crl csr newcerts private
   chmod 700 private
   touch index.txt
   echo 1000 > serial
   echo 1000 > /root/ca/intermediate/crlnumber
  1. Open the configuration file in a text editor (vi /root/ca/openssl.cnf), and then add the following contents (values shown are examples; change parameter values to match yours). Make sure the directory is unique for each intermediate CA.
   [ ca ]
   default_ca = CA_default
   [ CA_default ]
   # Directory and file locations.
   dir               = /root/ca/intermediate
   certs             = $dir/certs
   crl_dir           = $dir/crl
   new_certs_dir     = $dir/newcerts
   database          = $dir/index.txt
   serial            = $dir/serial
   RANDFILE          = $dir/private/.rand
   # The root key and root certificate.
   private_key       = $dir/private/intermediate.key.pem
   certificate       = $dir/certs/intermediate.cert.pem
   # For certificate revocation lists.
   crlnumber         = $dir/crlnumber
   crl               = $dir/crl/intermediate.crl.pem
   crl_extensions    = crl_ext
   default_crl_days  = 30
   # SHA-1 is deprecated, so use SHA-2 instead.
   default_md        = sha256
   name_opt          = ca_default
   cert_opt          = ca_default
   default_days      = 375
   preserve          = no
   policy            = policy_loose
   [ policy_strict ]
   # The root CA should only sign intermediate certificates that match.
   # See the POLICY FORMAT section of `man ca`.
   countryName             = match
   stateOrProvinceName     = match
   organizationName        = match
   organizationalUnitName  = optional
   commonName              = supplied
   emailAddress            = optional
   [ policy_loose ]
   # Allow the intermediate CA to sign a more diverse range of certificates.
   # See the POLICY FORMAT section of the `ca` man page.
   countryName             = optional
   stateOrProvinceName     = optional
   localityName            = optional
   organizationName        = optional
   organizationalUnitName  = optional
   commonName              = supplied
   emailAddress            = optional
   [ req ]
   # Options for the `req` tool (`man req`).
   default_bits        = 2048
   distinguished_name  = req_distinguished_name
   string_mask         = utf8only
   # SHA-1 is deprecated, so use SHA-2 instead.
   default_md          = sha256
   # Extension to add when the -x509 option is used.
   x509_extensions     = v3_ca
   [ req_distinguished_name ]
   # See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
   countryName                     = Country Name (2 letter code)
   stateOrProvinceName             = State or Province Name
   localityName                    = Locality Name
   0.organizationName              = Organization Name
   organizationalUnitName          = Organizational Unit Name
   commonName                      = Common Name
   emailAddress                    = Email Address
   # Optionally, specify some defaults.
   countryName_default             = <your country code>
   stateOrProvinceName_default     = <your state or province>
   localityName_default            =
   0.organizationName_default      = <your company name>
   organizationalUnitName_default  =
   emailAddress_default            =
   [ v3_ca ]
   # Extensions for a typical CA (`man x509v3_config`).
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid:always,issuer
   basicConstraints = critical, CA:true
   keyUsage = critical, digitalSignature, cRLSign, keyCertSign
   [ v3_intermediate_ca ]
   # Extensions for a typical intermediate CA (`man x509v3_config`).
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid:always,issuer
   basicConstraints = critical, CA:true, pathlen:0
   keyUsage = critical, digitalSignature, cRLSign, keyCertSign
   [ usr_cert ]
   # Extensions for client certificates (`man x509v3_config`).
   basicConstraints = CA:FALSE
   nsCertType = client, email
   nsComment = "OpenSSL Generated Client Certificate"
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid,issuer
   keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
   extendedKeyUsage = clientAuth, emailProtection
   [ server_cert ]
   # Extensions for server certificates (`man x509v3_config`).
   basicConstraints = CA:FALSE
   nsCertType = server
   nsComment = "OpenSSL Generated Server Certificate"
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid,issuer:always
   keyUsage = critical, digitalSignature, keyEncipherment
   extendedKeyUsage = serverAuth
   [ crl_ext ]
   # Extension for CRLs (`man x509v3_config`).
   authorityKeyIdentifier=keyid:always
   [ ocsp ]
   # Extension for OCSP signing certificates (`man ocsp`).
   basicConstraints = CA:FALSE
   subjectKeyIdentifier = hash
   authorityKeyIdentifier = keyid,issuer
   keyUsage = critical, digitalSignature
   extendedKeyUsage = critical, OCSPSigning
  1. Generate the new Intermediate CA key:
   cd /root/ca
   openssl genrsa -out intermediate/private/intermediate.key.pem 4096
  1. Create the intermediate CA signing request (CSR):
   chmod 400 intermediate/private/intermediate.key.pem
  openssl req -config intermediate/openssl.cnf -new -sha256 \
  -key intermediate/private/intermediate.key.pem \
  -out intermediate/csr/intermediate.csr.pem
  1. Create the new intermediate CA cert:
   cd /root/ca
   openssl ca -config openssl.cnf -extensions v3_intermediate_ca \ -days 3650 -notext -md sha256 \ -in intermediate/csr/intermediate.csr.pem \ -out intermediate/certs/intermediate.cert.pem
   # Sign the certificate? [y/n]: y
   chmod 444 intermediate/certs/intermediate.cert.pem
  1. Verify the intermediate CA:
   openssl x509 -noout -text \ -in intermediate/certs/intermediate.cert.pem
  1. Verify the intermediate certificate against the root certificate
   openssl verify -CAfile certs/ca.cert.pem \
   intermediate/certs/intermediate.cert.pem
   # intermediate.cert.pem: OK
  1. Verify the intermediate CA against the root CA:
   openssl verify -CAfile certs/ca.cert.pem \
   intermediate/certs/intermediate.cert.pem
   # intermediate.cert.pem: OK

Update the Certificate Set on the Transformation Hub Cluster

In order to update the CA cert used by Transformation Hub, copy your intermediate key and intermediate cert along with the CA cert from the server where they were created to the Initial Master Node, and then do the following:

  1. Run:
    ${CDF_HOME}/scripts/cdf-updateRE.sh write --re-key=/tmp/intermediate.key.pem --re-crt=/tmp/intermediate.cert.pem --re-ca=/tmp/ca.cert.pem
Note: the path to the intermediate.key.pem, intermediate.cert.pem, and ca.cert.pem can be any path desired
  1. From the OMT UI, uninstall the Transformation Hub.
  2. After the Transformation Hub is uninstalled, redeploy the Transformation Hub.