Contrail CA Server
Component description
Installation
Prerequisites
- Apache Tomcat 6 or 7
Downloading and Extracting
Download and extract contrail-ca-server.tar.gz package. Deploy ca.war webapp to Tomcat server.
Package structure:
* create-rootca-files.conf
* tomcat-connector-fragment.xml
/usr/bin/
* add-trusted-ca
* create-rootca-files
/usr/share/contrail/ca-server/
* LICENSE.txt
* README.txt
/var/lib/tomcat6/webapps/
* ca.war
Creating Contrail CA Root Certificate
Set up local CA using OpenSSL:
touch contrailCA/index.txt
echo '01' > contrailCA/serial
Create self-signed root certificate for the Contrail CA:
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Import CA certificate into truststore cacerts.jks:
Copy truststore cacerts.jks into Tomcat conf directory ($CATALINA_BASE/conf/).
Copy Contrail CA root certificate (ca.crt) and private key (ca.key) to default location for contrail-ca-server:
/var/lib/contrail/ca-server/rootca-key.pem
Creating Server Certificate
Create server certificate for Tomcat server where ca-server webapp will be deployed:
openssl req -new -key server.key -out server.csr
openssl ca -keyfile ca.key -cert ca.crt -out server.crt -infiles server.csr
Import server certificate into keystore server.jks:
-CAfile ca.crt -chain
keytool -importkeystore -deststorepass contrail -destkeypass contrail -destkeystore
server.jks -srckeystore server.p12 -srcstoretype PKCS12 -alias server
You can list certificates in the truststore by using following command:
Copy keystore server.jks into Tomcat conf directory ($CATALINA_BASE/conf/).
Tomcat configuration
Configure the SSL connector in the $CATALINA_BASE/conf/server.xml file, where $CATALINA_BASE represents the base directory for the Tomcat 6 instance:
SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="${catalina.base}/conf/server.jks"
keystorePass="*********"
truststoreFile="${catalina.base}/conf/cacerts.jks"
truststorePass="*********" />
The <<clientAuth>> attribute is set to true so that Tomcat requires a valid certificate
chain from the client before accepting a connection. The <<keystoreFile>> attribute
contains a pathname of the keystore file where the server certificate is stored.
If the keystore contains more than one certificate the keyAlias should be specified
which determines which certificate to use. The <<truststoreFile>> attribute specifies
the truststore file containing the CA certificate chain to use to validate client
certificates.