Uploaded image for project: 'RH-SSO'
  1. RH-SSO
  2. RHSSO-2312

Shared command to sign CSR does not work in RH-SSO Openshift documentation

XMLWordPrintable

    • False
    • None
    • False
    • Hide
      1. Generate a CA certificate. Pick and remember the password. Provide identical password, when signing the certificate sign request with the CA certificate below:
      $ openssl req -new -newkey rsa:4096 -x509 -keyout xpaas.key -out xpaas.crt -days 365 -subj "/CN=xpaas-sso-demo.ca"

             2. Generate a private key for the HTTPS keystore. Provide mykeystorepass as the keystore password:

      $ keytool -genkeypair -keyalg RSA -keysize 2048 -dname "CN=secure-sso-sso-app-demo.openshift.example.com" -alias jboss -keystore keystore.jks

             3. Generate a certificate sign request for the HTTPS keystore. Provide mykeystorepass as the keystore password:

      $ keytool -certreq -keyalg rsa -alias jboss -keystore keystore.jks -file sso.csr

             4. Sign the certificate sign request with the CA certificate. Provide the same password that was used to generate the CA certificate:

      $ openssl x509 -req <(printf "subjectAltName=DNS:secure-sso-sso-app-demo.openshift.example.com") -CA xpaas.crt -CAkey xpaas.key -in sso.csr -out sso.crt -days 365 -CAcreateserial

       

       

      Show
      Generate a CA certificate. Pick and remember the password. Provide identical password, when signing the certificate sign request with the CA certificate below: $ openssl req - new -newkey rsa:4096 -x509 -keyout xpaas.key -out xpaas.crt -days 365 -subj "/CN=xpaas-sso-demo.ca"        2. Generate a private key for the HTTPS keystore. Provide mykeystorepass as the keystore password: $ keytool -genkeypair -keyalg RSA -keysize 2048 -dname "CN=secure-sso-sso-app-demo.openshift.example.com" -alias jboss -keystore keystore.jks        3. Generate a certificate sign request for the HTTPS keystore. Provide mykeystorepass as the keystore password: $ keytool -certreq -keyalg rsa -alias jboss -keystore keystore.jks -file sso.csr        4. Sign the certificate sign request with the CA certificate. Provide the same password that was used to generate the CA certificate : $ openssl x509 -req <(printf "subjectAltName=DNS:secure-sso-sso-app-demo.openshift.example.com" ) -CA xpaas.crt -CAkey xpaas.key -in sso.csr -out sso.crt -days 365 -CAcreateserial    

      In Red Hat Single Sign-On for OpenShift documentation, there is a section for creating keystores. These keystores are required to initialize sso76-https template of RH-SSO.

       

      Under section "3.1.2. Creating HTTPS and JGroups Keystores, and Truststore for the Red Hat Single Sign-On Server" , wrong openssl command is shared in Step 4 of "Create the HTTPS keystore:" section.

       

      Current step 4 is as follows:

      Sign the certificate sign request with the CA certificate. Provide the same password that was used to generate the CA certificate:

      $ openssl x509 -req <(printf "subjectAltName=DNS:secure-sso-sso-app-demo.openshift.example.com") -CA xpaas.crt -CAkey xpaas.key -in sso.csr -out sso.crt -days 365 -CAcreateserial

       

       

      While executing above command, following error is observed

      x509: Unknown parameter /dev/fd/63

       

      Instead the command should be as follows:

      $ openssl x509 -req -extfile  <(printf "subjectAltName=DNS:secure-sso-sso-app-demo.openshift.example.com") -CA xpaas.crt -CAkey xpaas.key -in sso.csr -out sso.crt -days 365 -CAcreateserial

       

       

              amunro@redhat.com Andrew Munro
              rhn-support-rissingh Rishabh Singh
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: