Bug 808964

Summary: Adding a concrete example of creating self-signed CA cert with openssl.
Product: Red Hat Update Infrastructure for Cloud Providers Reporter: Etsuji Nakai <enakai>
Component: DocumentationAssignee: Lana Brindley <lbrindle>
Status: CLOSED WONTFIX QA Contact: wes hayutin <whayutin>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 2.1CC: cmorgan, jslagle, kbidarka, mhideo, sghai, tsanders
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-11 14:07:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 817736    
Bug Blocks:    

Description Etsuji Nakai 2012-04-02 03:32:42 UTC 
Description of problem:


The current installation guide (Revision 2-16) mentions that self-signed CA certificate could be created with genkey.

----
Acquire a root certificate and private key. You can purchase one from a certificate authority (CA), or you can generate your own using a tool like genkey, which can be found in the crypto-utils package in Red Hat Enterprise Linux.
----

It'd be better describe concrete steps to do that. And, instead of genkey, using openssl command would be better because SSL keys are generated with openssl command in the following steps.

Here's a concrete example of creating self-signed CA cert with openssl.

-----------
How to generate a self-signed CA cert and private key in:
/etc/pki/CA/certs/rhui-ca.crt
/etc/pki/CA/private/rhui-ca-key.pem

# cat <<EOF > ssl.conf
[ req ]
prompt = no
distinguished_name = dn
[dn]
CN=RHUI2.0 Self Cert CA
ST=California
C=US
EOF
# openssl req -batch -config ssl.conf -x509 -days 3650 -nodes -newkey rsa:2048 -keyout /etc/pki/CA/private/rhui-ca-key.pem -out /etc/pki/CA/certs/rhui-ca.crt 
# echo 10 > /etc/pki/CA/certs/rhui-ca.srl

Note: The [dn] entry and -days option (asn expiration term) should be apporpriately customized.
-----------
Comment 2 wes hayutin 2012-04-02 21:57:07 UTC 
This is how QE does it... 

export rhua=<rhua-internal-FQDN>
export cds1=<cds01-internal-FQDN>       
export cds2=<cds02-internal-FQDN>

mkdir -p /root/pem

pushd /root/pem

echo 10 > ca.srl
 
openssl req  -new -x509 -extensions v3_ca -keyout ca.key -subj "/C=US/ST=NC/L=Raleigh/CN=$rhua CA" -out ca.crt -days 365

openssl genrsa -out server.key 2048

for server in $rhua $cds1 $cds2 ; do 
  echo -ne "\n\n\n## $server\n=="
  openssl req -new -key server.key -subj "/C=US/ST=NC/L=Raleigh/CN=$server" -out $server.csr || break
  openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -in $server.csr -out $server.crt || break
done
Comment 3 James Slagle 2012-05-10 17:43:14 UTC 
FWIW, I think this is a WONTFIX.  I don't think we need or should tell people how to do this.  Everyone is going to do it a little differently (as we've already seen).  I think this is cursory information, we don't need to provide the exact steps.  Kind of like we don't tell people what LVM commands to run to setup partitions, etc.

I think it would be sufficient to say something like "go read openssl docs if you want to know how to do this". Again, assuming they even want to use openssl to do it.
Comment 4 Etsuji Nakai 2012-05-10 23:10:00 UTC 
I agree it's up to the documentation team whether the exact/concrete steps should be included. However, from the current description, it's hard to understand, at first glance, that I have to prepare SSL key/cert file pairs for each of RHUA and CDS's corresponding to "rhua.key/rhua.crt" and "cds1.key/cds1.crt" in "3.2. Answers File".

I think it should be stated that the generic "server.key/server.crt" in "Procedure 3.1. Configuring SSL Certificates" correspond to "rhua.key/rhua.crt" and "cds1.key/cds1.crt" in "3.2. Answers File".

* Procedure 3.1. Configuring SSL Certificates
http://docs.redhat.com/docs/en-US/Red_Hat_Update_Infrastructure/2.0/html/Installation_Guide/chap-Installation_Guide-RHUI_Installer.html#sect-Installation_Guide-RHUI_Installer-Setting_up_SSL

* 3.2. Answers File
http://docs.redhat.com/docs/en-US/Red_Hat_Update_Infrastructure/2.0/html/Installation_Guide/sect-Installation_Guide-RHUI_Installer-Answers_File.html
Comment 5 Chris Morgan 2012-05-11 14:07:22 UTC 
This is handled in the services deployment guide.