Skip to end of metadata
Go to start of metadata

Introduction

This article shows how to create a root certificate and a derived certificate to sign a package and onboard it to SDC.

Create root certificate CA (Certificate Authority) and its private key

Run the following command that will create the root certificate and it's private key. This certificate will represent the SDC Certificate Authority - CA.
The command will prompt for certificate information and only the field Common Name - CN is important, the rest can be empty. Fill that with any non blank information and do not repeat it in the child certificate that will be created further.

openssl req -new -nodes -x509 -keyout rootCA-private.key -out rootCA.cert

Create the package certificate issued by CA

Create the package private key package-private.key and an associated Certificate Signing Request (CSR) package.csr, used to create a certificate based on that key.

openssl req -new -nodes -keyout package-private.key -out package.csr

Now, create the package certificate issued by root certificate. Similar to the root certificate creation process, the command will prompt for certificate information and only the field Common Name - CN is important, the rest can be empty. Fill the CN with any non blank information and do not repeat the root CA certificate CN, otherwise the package signature validation will think the certificate is self signed.

Using the certificate authority/root certificate (-CA rootCA.cert), root certificate private key (-CAkey rootCA-private.key) and the package CSR (-in package.csr), run the following command to generate the package certificate package.cert:

openssl x509 -req -CA rootCA.cert -CAkey rootCA-private.key -CAcreateserial -in package.csr -out package.cert

Sign package with the package certificate and its private key

Choose one method among the two options:
 
Option 1: the following command will include the signing certificate, package.cert, inside the resulting package.cms:

openssl cms -sign -signer package.cert -inkey package-private.key -outform PEM -binary -in package.csar -out package.cms

In this option you don't need to add the certificate as a separate file in the signed zip package:

  • package.zip
    • package.csar
    • package.cms

Option 2: the following command will not include the signing certificate, package.cert, inside the resulting package.cms. The only difference from Option 1 is the addition of -nocerts option:

openssl cms -sign -signer package.cert -inkey package-private.key -outform PEM -binary -nocerts -in package.csar -out package.cms

In this option you need to add the certificate package.cert as a separate file in the signed zip package.

  • package.zip
    • package.csar
    • package.cms
    • package.cert

Validate the CMS signature

To validate the CMS generated package.cms, use the following command with the CA rootCA.cert, package certificate package.cert and package.csar:

openssl cms -verify -inform PEM -binary -CAfile rootCA.cert -certfile package.cert -in package.cms -content package.csar 

Copy root certificate to the SDC certificate folder

SDC currently keeps the certificates in the data/onap/cert folder. Copy the created rootCA.cert to that folder:

cp rootCA.cert /data/onap/cert/rootCA.cert

This can be done during runtime as SDC will read from that folder every time it validates a package.

<!> Be aware that currently SDC only checks for the number of certificates in /data/onap/cert folder to change the certificates in memory. If the number still the same, it will not update the list of certificates, so a simple replace will change nothing during runtime.

Upload your signed package

Test the certificates by onboarding the signed package to create a SDC VSP (Virtual Software Package).

Utility functions

Print certificate information

openssl x509 -text -in root.cert

Print cryptographic message syntax information

openssl cms -cmsout -print -inform pem -in package.cms

Extract public key from certificate

openssl x509 -in ceritificate.cert -pubkey -noout -out public.key

Verify that a certificate was issued by a Certificate Authority (root certificate)

openssl verify -verbose -CAfile rootCA.cert package.cert

References