This article shows how to create a root certificate and a derived certificate to sign a package and onboard it to SDC.
Run the following command that will create the root certificate and it's private key. This certificate will represent the SDC Certificate Authority - CA.
The command will prompt for certificate information and only the field Common Name - CN is important, the rest can be empty. Fill that with any non blank information and do not repeat it in the child certificate that will be created further.
openssl req -new -nodes -x509 -keyout rootCA-private.key -out rootCA.cert |
Create the package private key package-private.key and an associated Certificate Signing Request (CSR) package.csr, used to create a certificate based on that key.
openssl req -new -nodes -keyout package-private.key -out package.csr |
Now, create the package certificate issued by root certificate. Similar to the root certificate creation process, the command will prompt for certificate information and only the field Common Name - CN is important, the rest can be empty. Fill the CN with any non blank information and do not repeat the root CA certificate CN, otherwise the package signature validation will think the certificate is self signed.
Using the certificate authority/root certificate (-CA rootCA.cert), root certificate private key (-CAkey rootCA-private.key) and the package CSR (-in package.csr), run the following command to generate the package certificate package.cert:
openssl x509 -req -CA rootCA.cert -CAkey rootCA-private.key -CAcreateserial -in package.csr -out package.cert |
Choose one method among the two options:
Option 1: the following command will include the signing certificate, package.cert, inside the resulting package.cms:
openssl cms -sign -signer package.cert -inkey package-private.key -outform PEM -binary -in package.csar -out package.cms |
In this option you don't need to add the certificate as a separate file in the signed zip package:
Option 2: the following command will not include the signing certificate, package.cert, inside the resulting package.cms. The only difference from Option 1 is the addition of -nocerts option:
openssl cms -sign -signer package.cert -inkey package-private.key -outform PEM -binary -nocerts -in package.csar -out package.cms |
In this option you need to add the certificate package.cert as a separate file in the signed zip package.
To validate the CMS generated package.cms, use the following command with the CA rootCA.cert, package certificate package.cert and package.csar:
openssl cms -verify -inform PEM -binary -CAfile rootCA.cert -certfile package.cert -in package.cms -content package.csar |
SDC currently keeps the certificates in the data/onap/cert folder. Copy the created rootCA.cert to that folder:
cp rootCA.cert /data/onap/cert/rootCA.cert |
This can be done during runtime as SDC will read from that folder every time it validates a package.
<!> Be aware that currently SDC only checks for the number of certificates in /data/onap/cert folder to change the certificates in memory. If the number still the same, it will not update the list of certificates, so a simple replace will change nothing during runtime.
Test the certificates by onboarding the signed package to create a SDC VSP (Virtual Software Package).
openssl x509 -text -in root.cert |
openssl cms -cmsout -print -inform pem -in package.cms |
openssl x509 -in ceritificate.cert -pubkey -noout -out public.key |
openssl verify -verbose -CAfile rootCA.cert package.cert |