CreateSSLCertificate¶
Overview¶
The Unified Assurance SSL Certificate and Key Creation runs OpenSSL commands to create keys and certificates. The files are located in $A1BASEDIR/etc/ssl.
Tree of trust:
-
Assure1CA (Unified Assurance Global CA)
-
Web
-
SiteCA (Unified Assurance Site CA)
-
Host
-
User-api
-
User-assure1
-
User-elastic
-
User-repl
-
User-root
If the type SiteCA is specified, it will create a new certificate authority that is specific to the site and it will automatically create the Host and User-* certificates. A BundleCA.crt will also be created containing both the Assure1CA and SiteCA. This bundle is used in applications configurations.
Examples¶
-
Create SiteCA Certificate and dependencies
./CreateSSLCertificate --Type SiteCA -
Create Web Certificate (with separate host FQDNs)
./CreateSSLCertificate --Type Web --CN host1.example.com --AltCN host1-pres1.example.com --AltCN host1-pres2.example.com
Note
Web certificates in a redundant setup must specify --AltCN for the host FQDNs of both presentation servers. This allows a single cert to be shared between servers as well as allowing connections to individual servers for troubleshooting.
By default, CreateSSLCertificate will not run if the requested certificate already exists. Use the --Force option to override this behavior by revoking the old certificate and creating a new one with the same name.
To have a certificate signed by a third party CA, you can use the Web.csr for the certificate signing request.
Administration Details¶
The following list shows the technical details you will need for advanced administration of the application:
-
Package - assure1-app
-
Synopsis -
./CreateSSLCertificate [OPTIONS] -
Options:
-t, --Type OPT Type option {Host, SiteCA, User, Web} -c, --CN TEXT Common name FQDN -a, --AltCN TEXT Alternative common name for subjectALtName (specify separate HostFQDN from WebFQDN) -f, --Force Force overwriting existing certificates -s, --Silent Enable silent mode -?, -h, --Help Print usage and exit