月份: 2018 年 9 月

Why I write this note

• Try to install Chameleoncloud-in-a-box, which provides the bare metal provisioning using OpenStack ironic.
• There is a PKI in Chameleon’s develop environmnet. The problem happened to us when we tried to build this project in iCAIR site, which doesn’t have PKI in private network.
• Because openstack cli use https apis, bad cert means no success https connection and no control to the components.
• This is the note for build your own PKI with openssl and trust RootCA on own computer
• reference are down below (Most of command are copy and mod from other websites,actually. = =)

Build PKI

• Build CA private key with passprase

openssl genrsa -des3 -out myCA.key 2048

• Build CA Cert

openssl req -x509 -new -nodes -key myCA.key -sha256 -days 3650 -out myCA.pem

• Build Server private key

openssl genrsa -out ciab.buck.local.key 2048

• Build Server cert

openssl req -new -key ciab.buck.local.key -out ciab.buck.local.csr
openssl x509 -req -in ciab.buck.local.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out ciab.buck.local.crt -days 3650 -sha256

Trust Your RootCA (CentOS7)

# cp myCA.pem /etc/pki/ca-trust/source/anchors/
# update-ca-trust

Setup a Apache Server for test

Server set up

• Thanks to DO lol.
• How To Create an SSL Certificate on Apache for CentOS 7

Test with Curl (check if hostname resolve is correct)

curl -vvv https://ciab.buck.local
* About to connect() to ciab.buck.local port 443 (#0)
*   Trying fe80::c45b:765c:c136:5e3b...
* Connected to ciab.buck.local (fe80::c45b:765c:c136:5e3b) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=ciab.buck.local,O=iCAIR,L=Chicago,ST=illnois,C=US
*       start date: Sep 20 15:42:52 2018 GMT
*       expire date: Sep 17 15:42:52 2028 GMT
*       common name: ciab.buck.local
*       issuer: CN=buck.local,O=Default Company Ltd,L=Chicaog,ST=il,C=US
......

:tada:

Reference

• How to Create Your Own SSL Certificate Authority for Local HTTPS Development
• Trusting additional CAs in Fedora / RHEL / CentOS

Also, One of my seniors wrote this the day after I solve this problem… This is a better method to management PKI.