...
jar -xvf AAF_sample_config_v1.zip
...
Certificate Authority
You need to identify a SAFE AND SECURE machine when working with your own Certificate Authority
...
. Realize that if a hacker gets the private keys of your CA or Intermediate CAs, you will be TOTALLY Compromised.
For that reason, many large companies will isolate any machines dealing with Certificates, and that is the recommendation here as well... However, this page cannot explain what works best for you. JSCEP is an option if you have this setup already.
If you choose to make your own CA, at the very least, once you create your private key for your Root Cert, and your Intermediate Certs, you might consider saving your Private Keys off line and removing from the exposed box. Again, this is YOUR responsibility, and must follow your policy.
IMPORTANT! As you create Certificates for Identities, the
Note: This can be skipped if you plan on utilizing your own Certificate Authority mechanism through JSCEP, but you will need to obtain your first Certificates manually all the same
IMPORTANT! The Identities you use MUST be identities in your ILM. See /opt/app/aaf/osaaf/data/identities.dat
Creating your own Certificate Authority (if desired)
1) Obtain all the Shell Scripts from the "conf/CA" directory which you can get the from the git repo.
For this example, we'll put everything in /opt/app/osaaf
mkdir /opt/app/osaaf/CA, if required
$ cd /opt/app/
...
osaaf/CA
<view view README.txt for last minute info>info
<view view an/or change "subject.aaf" for your needs>needs. This format will be used on all generated certs from the CA.
$ cat subject.aaf
If you will be using PKCS11 option, review the "cfg.pkcs11" file as well
$ cat cfg.pkcs11
$ bash newca.sh
< available soon ... bash newintermediate.sh <name>>
\# create an Application Cert
...
Obviously, save off your passphrase in an encrypted place... how you do this is your procedure
At this point, your Root CA information has been created. If you want to start over, you may use "bash clean.sh"
Create your Intermediate CAs
2) You do NOT sign regular Cert requests with your Root. You only sign with Intermediate CA. The "intermediate.sh" will create a NEW Intermediate CA Directory and copy appropriate Shell scripts over. Do this for as many Intermediate CAs as you need.
$ bash newIntermediate.sh
creates directories in order, intermediate_1, intermediate_2, etc.
Use the Intermediate CA for creating Service/Identity Certs (can be utilized by Certman with LocalCA)
3) When creating a Manual Certificate, DO THIS from the Intermediate CA needed
$ cd intermediate_1
4) Create initial Certificate for AAF, and create a "p12" (pkcs12) file
IMPORTANT! As you create Certificates for Identities, the Identities you use MUST be identities in your ILM. See /opt/app/aaf/osaaf/data/identities.dat
To create LOCALLY, meaning create the CSR, and submit immediately, do the following
$ bash manual.sh -local
FQI (Fully Qualified Identity):
<identity from identities.dat>@<domain, ex: aaf.osaaf.org>
To create Information suitable for Emailing, and signing the returned CSR
$ bash manual.sh -local
FQI (Fully Qualified Identity):
<identity from identities.dat>@<domain, ex: aaf.osaaf.org>
\# create a Personal Cert (for use in Browsers, etc)
...