Versions Compared

Old Version 9

changes.mady.by.user Jonathan Gathman

Saved on

compared with

New Version 10

changes.mady.by.user Jonathan Gathman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

jar -xvf AAF_sample_config_v1.zip

...

Certificate Authority

You need to identify a SAFE AND SECURE machine when working with your own Certificate Authority

...

.  Realize that if a hacker gets the private keys of your CA or Intermediate CAs, you will be TOTALLY Compromised.

For that reason, many large companies will isolate any machines dealing with Certificates, and that is the recommendation here as well... However, this page cannot explain what works best for you.  JSCEP is an option if you have this setup already.

If you choose to make your own CA, at the very least, once you create your private key for your Root Cert, and your Intermediate Certs, you might consider saving your Private Keys off line and removing from the exposed box.  Again, this is YOUR responsibility, and must follow your policy.


IMPORTANT!  As you create Certificates for Identities, the

Note: This can be skipped if you plan on utilizing your own Certificate Authority mechanism through JSCEP, but you will need to obtain your first Certificates manually all the same

IMPORTANT!  The Identities you use MUST be identities in your ILM.  See /opt/app/aaf/osaaf/data/identities.dat

Creating your own Certificate Authority (if desired)

1) Obtain all the Shell Scripts from the "conf/CA" directory which you can get the from the git repo.

For this example, we'll put everything in /opt/app/osaaf

mkdir /opt/app/osaaf/CA, if required

$ cd /opt/app/

...

osaaf/CA

<view view README.txt for last minute info>info

<view view an/or change "subject.aaf" for your needs>needs. This format will be used on all generated certs from the CA.

$ cat subject.aaf

If you will be using PKCS11 option, review the "cfg.pkcs11" file as well

$ cat cfg.pkcs11

$ bash newca.sh

< available soon ... bash newintermediate.sh <name>>

        \# create an Application Cert

...

Obviously, save off your passphrase in an encrypted place... how you do this is your procedure

At this point, your Root CA information has been created.  If you want to start over, you may use "bash clean.sh"

Create your Intermediate CAs

2) You do NOT sign regular Cert requests with your Root.  You only sign with Intermediate CA.  The "intermediate.sh" will create a NEW Intermediate CA Directory and copy appropriate Shell scripts over.  Do this for as many Intermediate CAs as you need.

$ bash newIntermediate.sh

creates directories in order, intermediate_1, intermediate_2, etc.

Use the Intermediate CA for creating Service/Identity Certs (can be utilized by Certman with LocalCA)

3) When creating a Manual Certificate, DO THIS from the Intermediate CA needed

$ cd intermediate_1

4) Create initial Certificate for AAF, and create a "p12" (pkcs12) file

IMPORTANT!  As you create Certificates for Identities, the Identities you use MUST be identities in your ILM.  See /opt/app/aaf/osaaf/data/identities.dat

To create LOCALLY, meaning create the CSR, and submit immediately, do the following

$ bash manual.sh -local

FQI (Fully Qualified Identity):

<identity from identities.dat>@<domain, ex: aaf.osaaf.org>

To create Information suitable for Emailing, and signing the returned CSR

$ bash manual.sh -local

FQI (Fully Qualified Identity):

<identity from identities.dat>@<domain, ex: aaf.osaaf.org>



\# create a Personal Cert (for use in Browsers, etc)

...