From 4e4c774d9aef721358d6fd6ebe85da9783bd8386 Mon Sep 17 00:00:00 2001 From: Robert Scrimo Date: Mon, 27 Mar 2017 16:28:08 -0600 Subject: [PATCH 1/2] Added manual procedure for generating dev and prod certs in traffic ops install wiki. --- docs/source/admin/traffic_ops_install.rst | 103 ++++++++++++++++++++++ 1 file changed, 103 insertions(+) diff --git a/docs/source/admin/traffic_ops_install.rst b/docs/source/admin/traffic_ops_install.rst index ca4946114c..6f9b4de3ec 100644 --- a/docs/source/admin/traffic_ops_install.rst +++ b/docs/source/admin/traffic_ops_install.rst @@ -379,3 +379,106 @@ To upgrade: 2. Enter the following command:``yum upgrade traffic_ops`` 3. See :ref:`rl-ps` to run postinstall. 4. Enter the following command:``service traffic_ops start`` + +Manually Generating and Installing the SSL Certificate +------------------------------------------------------ + +.. Note:: This section is valid for traffic-control 2.0.0 and later. + +Self-signed Certificate (Development) +===================================== + + Example Procedure:: + + $ openssl genrsa -des3 -passout pass:x -out localhost.pass.key 2048 + Generating RSA private key, 2048 bit long modulus + ... + $ openssl rsa -passin pass:x -in localhost.pass.key -out localhost.key + writing RSA key + $ rm localhost.pass.key + + $ openssl req -new -key localhost.key -out localhost.csr + You are about to be asked to enter information that will be incorporated + into your certificate request. + What you are about to enter is what is called a Distinguished Name or a DN. + There are quite a few fields but you can leave some blank + For some fields there will be a default value, + If you enter '.', the field will be left blank. + ----- + Country Name (2 letter code) [XX]:US + State or Province Name (full name) []:CO + Locality Name (eg, city) [Default City]:Denver + Organization Name (eg, company) [Default Company Ltd]: + Organizational Unit Name (eg, section) []: + Common Name (eg, your name or your server's hostname) []: + Email Address []: + + Please enter the following 'extra' attributes + to be sent with your certificate request + A challenge password []: pass + An optional company name []: + $ openssl x509 -req -sha256 -days 365 -in localhost.csr -signkey localhost.key -out localhost.crt + Signature ok + subject=/C=US/ST=CO/L=Denver/O=Default Company Ltd + Getting Private key + $ sudo cp localhost.crt /etc/pki/tls/certs + $ sudo cp localhost.key /etc/pki/tls/private + $ sudo chown trafops:trafops /etc/pki/tls/certs/localhost.crt + $ sudo chown trafops:trafops /etc/pki/tls/private/localhost.key + +Certificate from Certificate Authority (Production) +=================================================== + +.. Note:: You will need to know the appropriate answers below when generating the certificate request file `trafficopss.csr` below. + + Example Procedure:: + + $ openssl genrsa -des3 -passout pass:x -out trafficops.pass.key 2048 + Generating RSA private key, 2048 bit long modulus + ... + $ openssl rsa -passin pass:x -in trafficops.pass.key -out trafficops.key + writing RSA key + $ rm localhost.pass.key + + Generate the Certificate Signing Request (CSR) file needed for Certificate Authority (CA) request. + + $ openssl req -new -key trafficops.key -out trafficops.csr + You are about to be asked to enter information that will be incorporated + into your certificate request. + What you are about to enter is what is called a Distinguished Name or a DN. + There are quite a few fields but you can leave some blank + For some fields there will be a default value, + If you enter '.', the field will be left blank. + ----- + Country Name (2 letter code) [XX]: + State or Province Name (full name) []: + Locality Name (eg, city) [Default City]: + Organization Name (eg, company) [Default Company Ltd]: + Organizational Unit Name (eg, section) []: + Common Name (eg, your name or your server's hostname) []: + Email Address []: + + Please enter the following 'extra' attributes + to be sent with your certificate request + A challenge password []: + An optional company name []: + $ sudo cp trafficops.key /etc/pki/tls/private + $ sudo chown trafops:trafops /etc/pki/tls/private/trafficops.key + + You must then take the output file trafficops.csr and submit a request to your Certificate Authority (CA). + Once you get approved and receive your trafficops.crt file: + + $ sudo cp trafficops.crt /etc/pki/tls/certs + $ sudo chown trafops:trafops /etc/pki/tls/certs/trafficops.crt + + If necessary, install the CA certificates .pem and .crt in /etc/pki/tls/certs. + + You will need to update the file /opt/traffic_ops/app/conf/cdn.conf with the following changes: + ... + e.g. given trafficops.crt and trafficops.key + 'hypnotoad' => ... + 'listen' => 'https://[::]:443?cert=/etc/pki/tls/certs/trafficops.crt&key=/etc/pki/tls/private/trafficops.key&ca=/etc/pki/tls/certs/localhost.ca&verify=0x00&ciphers=AES128-GCM-SHA256:HIGH:!RC4:!MD5:!aNULL:!EDH:!ED' + ... + + + From a9e890bf2513002f23e2a7b9679ab51ef9ddc1c9 Mon Sep 17 00:00:00 2001 From: Robert Scrimo Date: Mon, 27 Mar 2017 18:52:14 -0600 Subject: [PATCH 2/2] Minor change to a note. --- docs/source/admin/traffic_ops_install.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/admin/traffic_ops_install.rst b/docs/source/admin/traffic_ops_install.rst index 6f9b4de3ec..d0caaf85cb 100644 --- a/docs/source/admin/traffic_ops_install.rst +++ b/docs/source/admin/traffic_ops_install.rst @@ -429,7 +429,7 @@ Self-signed Certificate (Development) Certificate from Certificate Authority (Production) =================================================== -.. Note:: You will need to know the appropriate answers below when generating the certificate request file `trafficopss.csr` below. +.. Note:: You will need to know the appropriate answers when generating the certificate request file `trafficopss.csr` below. Example Procedure::