Generating SSL Certificate for Episode archive🔗
Self-signed SSL certificates for the Episode archive service can be created with the OpenSSL application.
Install the OpenSSL v1.1.1n Light distribution package, which corresponds to the bitness of the operating system used.
Generation on Windows OS
The steps below are a sequence of commands that should be executed on the command line.
Add the OpenSSL folder to the PATH environment variable.
For Win64 OpenSSL v1.1.1s Light use:
path=%path%C:\Program Files\OpenSSL-Win64\bin\;
For Win32 OpenSSL v1.1.1s Light use:
path=%path%C:\Program Files\OpenSSL-Win32\bin\;
Create a directory that will contain the generated certificates. On the command line, navigate to the created directory.
Create the root certificate private key file:
openssl genrsa -out *rootCertKeyName*.key 2048
Create the root certificate:
openssl req -x509 -new -key *rootCertKeyName*.key -days 10000 -out *rootCertName*.crt
Note
The command will prompt for the certificate details.
Create the service private key:
openssl genrsa -out *serviceCertKeyName*.key 2048
Create the Certificate Signing Request (CSR):
openssl req -new -key *serviceCertKeyName*.key -out *serviceCertRequestName*.csr
Note
The command will prompt for the certificate details.
An important point is to fill in information about the Common Name (e.g. server FQDN or YOUR name) with the IP address of the service.
Create the service certificate by signing the CSR with the root certificate:
openssl x509 -req -in *serviceCertRequestName*.csr -CA *rootCertName.crt -CAkey *rootCertKeyName*.key -CAcreateserial -out *serviceCertName*.crt -days 5000
Export the certificate and private key into a single file:
openssl pkcs12 -export -out *serviceCertFileName*.pfx -inkey *serviceCertKeyName*.key -in *serviceCertName*.crt -certfile *rootCertName*.crt
Note
Created .pfx files should be transferred to the server running the Episode archive service and added to the **Episode archive service** configuration.
The root certificate *rootCertName*.crt must be imported into the operating system on all servers that will work with the Episode archive service.
Generation on Linux OS
Run a terminal.
Create a directory that will contain the generated certificates. On the command line, navigate to the created directory.
Create the root certificate private key file:
openssl genrsa -out *rootCertKeyName*.key 2048
Create the root certificate:
openssl req -x509 -new -key *rootCertKeyName*.key -days 10000 -out *rootCertName*.crt
Note
The command will prompt for the certificate details.
Create the service private key:
openssl genrsa -out *serviceCertKeyName*.key 2048
Create the Certificate Signing Request (CSR):
openssl req -new -key *serviceCertKeyName*.key -out *serviceCertRequestName*.csr
Note
The command will prompt for the certificate details.
An important point is to fill in information about the Common Name (e.g. server FQDN or YOUR name) with the IP address of the service.
Create the service certificate by signing the CSR with the root certificate:
openssl x509 -req -in *serviceCertRequestName*.csr -CA *rootCertName.crt -CAkey *rootCertKeyName*.key -CAcreateserial -out *serviceCertName*.crt -days 5000
Export the certificate and private key into a single file.
openssl pkcs12 -export -out *serviceCertFileName*.pfx -inkey *serviceCertKeyName*.key -in *serviceCertName*.crt -certfile *rootCertName*.crt
Import the certificate.
Copy the root certificate to the certificates’ directory:
sudo cp *rootCertName*.crt /usr/local/share/ca-certificates/*rootCertName*.crt
Update the certificates list:
sudo update-ca-certificates
Install the certificates vault package:
yum install ca-certificates
Allow vault dynamic configuration:
update-ca-trust force-enable
Copy the root certificate to the certificates’ directory:
cp *rootCertName*.crt /etc/pki/ca-trust/source/anchors/
Update the certificates list:
update-ca-trust extract