10.1 Create a SMT server CA and server certificate

The steps in this section cover certificate generation for an organization called acme and servers within the acme organization, the administrator has to change the organization details while generating the certificates.

  1. Execute the following commands to generate certificate on SMT Server. If an administrator wants to use already issued certificates, go to Step 2.

    • Generate CA certificate for an organization:

      ~#: openssl req -nodes -x509 -newkey rsa:2048 -days 365 -keyout acmeca.key -out acmeca.pem -subj "/O=acme"

    • Generate certificate signing request (CSR) for the server:

      ~#: openssl  req -nodes -newkey rsa:2048 -keyout acmeserver.key -out acmeserver.csr -subj "/O=acme/OU=Servers/CN=`hostname -f`"

    • Before signing the CSR to get the MFSMT Server Certificate, create a text file with DNS Names and IP Addresses of the SMT server to add SAN extension to the certificate. Adding all the DNS names and IP Addresses to certificate helps connecting to SMT Servers using host name or IP Address of the SMT Server.

      # extfile.txt
      subjectAltName = DNS:smt2-server.labs.blr.novell.com, DNS:smt2-server, IP:192.168.10.1

    • Sign the CSR to get the server certificate:

      ~#: openssl x509 -req -in acmeserver.csr -days 365 -CA acmeca.pem -CAkey acmeca.key -CAcreateserial -out acmeserver.pem -extfile extfile.txt

  2. Set-up SMT server to use CA Certificate.Following are the steps to use the newly generated CA certificate in Step 1. The same steps are applicable if you want to use your own certificates. Replace certificate files with your own certificate paths.

    • Copy the newly generated CA Certificate:

      ~#: cp acmeca.pem to /etc/ssl/certs

    • Generate hash for new CA certificate using command:

      ~#: c_rehash

    • Execute the command to verify if the hash is generated:

      ~#: l /etc/ssl/certs/ | grep acmeca.pem

      This lists the new symlink to acmeca.pem

  3. The following are the steps to use the newly generated server certificate in Step 1. Same steps are applicable if you want to use your own certificates. Replace certificate files with your own certificate paths.

    • Modify /etc/apache2/vhosts.d/vhost-ssl.conf and change the below path specifying the location of the certificate file and key file.

      SSLCertificateFile <path to certificate file>/acmeserver.pem
      SSLCertificateKeyFile <path to certificate file>/acmeserver.key

  4. Configure SMT server to use the new CA Certificate acmeca.pem

    Execute the following command:

    ~#: systemctl restart smt.target

    The CA certificate /etc/ssl/certs/acmeca.pem to /srv/www/htdocs/smt.crt is coppied.

  5. Execute the following command to verify the certificate on SMT server:

    ~#: openssl s_client -connect <IP or Hostname of the SMT Server>:443

    This command should display the content of the newly configured server certificate

    To verify the CA certificate run command

    ~#: openssl x509 -in /srv/www/htdocs/smt.crt -text

    The newly configured CA certificate content is displayed.

    On configuring SMT Server with new CA and Server Certificates successfully, the clients can successfully communicate and register with the SMT Server. For more information see Section 9.0, Configuring Clients to Use Micro Focus SMT.