Samatnys
I hear your confusion and was in the same boat.
There are two ways you can generate SSL Certificates for DSA.
OPTION-1 : Using DXCERTGEN.
Using this method you'll end up with one Private Key / Public certificate per DSA.
OPTION-2 : Using an external third party tool like OpenSSL.
Using this method you'll end up with one Private Key / Public certificate which will be shared by all DSA's.
I prefer OPTION-2 as this is more manageable when it comes to deployment and renewals.
DSA Certificates - CA Directory - 14.0 - CA Technologies Documentation |
---|
Sharing Certificates Between DSAsWhen using third party certificate authorities, refreshing certificates for a large number of DSAs becomes a tedious task. This operation is tedious because each DSA personality requires that the subject DN match the dsa-name field for each DSA, thus, requiring a unique certificate signing request (CSR) for each DSA. The subject DN is used when determining the DSA name during mutual authentication when creating a ssl-auth authenticated DSP link. The set ssl command supports an option to allow for the use of a single personality certificate to be shared by all DSAs. set ssl = { # generic DSA personality certificate cert-file = "config/ssld/personalities/generic.pem" # trusted root CA that signed DSA certificates ca-file = "config/ssld/trusted.pem" cipher = "ALL:!ADH:!DES:!EXPORT40:!MEDIUM:!RC4:!LOW:+SSLv2:@STRENGTH" protocol = tls };
The command changes mutual authentication by taking the DSA name from the external procedure presented during authenticate rather than from the certificate subject DN. The rest of authentication remains the same (certificate verification, inbound IP verification). |
Steps for OPTION-2 :
- Generate a Private Key (priv.key) and CSR (cert.csr) using OpenSSL.
- Send the CSR to Certification Authority for Signature.
- Retrieve the Public (Signed Certificate) Certificate (cert.pem) from Certification Authority.
- Retrieve the Root Certificate (root.pem) from Certification Authority.
- Put priv.key, cert.pem, root.pem on a single folder (anywhere where DSA OS user can access) where your DSA is running.
- Now very important step (UNDOCUMENTED).
- Your Cert / Key has to be in PEM format i.e. BEGIN CERTIFICATE and END CERTIFICATE / BEGIN PRIVATE KEY and END PRIVATE KEY TAGS.
- We have to merge the KEY and CERT into one single file.
- e.g. "cat priv.key >> cert.pem". This command will append BEGIN PRIVATE KEY and END PRIVATE KEY to the end of cert.pem. Now you'll have both Cert and Key in one file.
- Now go to $DXHOME/config/ssld
- Make a copy of default.dxc to "sstore.dxc"
- Create the entries as per table below.
- Modify the server initialization file $DXHOME/config/server/server.dxi
- Change the SSL section to source "../ssld/sstore.dxc".
- Modify the knowledge file $DXHOME/config/knowledge and add "link-flags = ssl-encryption".
- Restart your DSA.
- Repeat the steps in all DSA.
$DXHOME/config/ssld/sstore.dxc |
---|
set ssl = { # generic DSA personality certificate cert-file = "<PATH to Cert Dir where we dropped all files>/cert.pem" # trusted root CA that signed DSA certificates ca-file = "<PATH to Cert Dir where we dropped all files>/root.pem" # cipher = "ALL:!ADH:!DES:!EXPORT40:!MEDIUM:!RC4:!LOW:+SSLv2:@STRENGTH" # protocol = tls # fips = false };
|
Additional Reference Links to consider in your overall design :
set force-encrypt-auth Command -- Force Users to Use SSL on Authenticated Binds - CA Directory - 14.0 - CA Technologies …
set force-encrypt-anon Command -- Force Users to Use SSL on Anonymous Binds - CA Directory - 14.0 - CA Technologies Docu…
Set Up Encryption - CA Directory - 14.0 - CA Technologies Documentation
set dsa Command -- Define the Knowledge Settings of a DSA - CA Directory - 14.0 - CA Technologies Documentation