Contrail CA Server

Contents

Component description

Installation

Prerequisites

  • Apache Tomcat 6 or 7

Downloading and Extracting

Download and extract contrail-ca-server.tar.gz package. Deploy ca.war webapp to Tomcat server.

Package structure:

/etc/contrail/ca-server/
    * create-rootca-files.conf
    * tomcat-connector-fragment.xml
/usr/bin/
    * add-trusted-ca
    * create-rootca-files
/usr/share/contrail/ca-server/
    * LICENSE.txt
    * README.txt
/var/lib/tomcat6/webapps/
    * ca.war

Creating Contrail CA Root Certificate

Set up local CA using OpenSSL:

mkdir -p contrailCA/newcerts
touch contrailCA/index.txt
echo '01' > contrailCA/serial

Create self-signed root certificate for the Contrail CA:

openssl genrsa -out ca.key 1024
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Import CA certificate into truststore cacerts.jks:

keytool -import -keystore cacerts.jks -storepass contrail -alias contrail-ca -file ca.crt

Copy truststore cacerts.jks into Tomcat conf directory ($CATALINA_BASE/conf/).

Copy Contrail CA root certificate (ca.crt) and private key (ca.key) to default location for contrail-ca-server:

/var/lib/contrail/ca-server/rootca-cert.pem
/var/lib/contrail/ca-server/rootca-key.pem

Creating Server Certificate

Create server certificate for Tomcat server where ca-server webapp will be deployed:

openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl ca -keyfile ca.key -cert ca.crt -out server.crt -infiles server.csr

Import server certificate into keystore server.jks:

openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name server
   -CAfile ca.crt -chain
keytool -importkeystore -deststorepass contrail -destkeypass contrail -destkeystore
   server.jks -srckeystore server.p12 -srcstoretype PKCS12 -alias server

You can list certificates in the truststore by using following command:

keytool -list -v -keystore server.jks

Copy keystore server.jks into Tomcat conf directory ($CATALINA_BASE/conf/).

Tomcat configuration

Configure the SSL connector in the $CATALINA_BASE/conf/server.xml file, where $CATALINA_BASE represents the base directory for the Tomcat 6 instance:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
  SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
  clientAuth="true" sslProtocol="TLS"
  keystoreFile="${catalina.base}/conf/server.jks"
  keystorePass="*********"
  truststoreFile="${catalina.base}/conf/cacerts.jks"
  truststorePass="*********" />

The <<clientAuth>> attribute is set to true so that Tomcat requires a valid certificate
chain from the client before accepting a connection. The <<keystoreFile>> attribute
contains a pathname of the keystore file where the server certificate is stored.
If the keystore contains more than one certificate the keyAlias should be specified
which determines which certificate to use. The <<truststoreFile>> attribute specifies
the truststore file containing the CA certificate chain to use to validate client
certificates.