Generate a Signed Certificate | Teradata AppCenter - 1.10 - Generating a Signed Certificate - Teradata AppCenter

Teradata® AppCenter Customer Installation and Upgrade Guide for vSphere

Product
Teradata AppCenter
Release Number
1.10
Published
June 2020
Language
English (United States)
Last Update
2020-07-02
dita:mapPath
ixs1586886570933.ditamap
dita:ditavalPath
ft:empty
Generating a signed certificate involves creating a certificate signing request (CSR).
  1. Create a san.cnf CSR config file:
    [ req ]
    default_bits       = 2048
    distinguished_name = req_distinguished_name
    req_extensions     = req_ext
    [ req_distinguished_name ]
    countryName                = Country Name (2 letter code)
    stateOrProvinceName        = State or Province Name (full name)
    localityName               = Locality Name (eg, city)
    organizationName           = Organization Name (eg, company)
    commonName                 = Common Name (e.g. server FQDN or YOUR name)
    [ req_ext ]
    subjectAltName = @alt_names
    [alt_names]
    DNS.1   = appcenter.example.com
    DNS.2   = *.appcenter.example.com
    Make sure the value of DNS.1 is the same as APPCTL_DOMAIN. The value of DNS.2 should be *.APPCTL_DOMAIN.
  2. From your client machine, generate the server.key:
    $ openssl req -out server.csr -newkey rsa:2048 -nodes -keyout server.key -config san.cnf
  3. Enter the following CSR details when prompted:
    CSR Detail Description
    Common Name Fully qualified domain name (FQDN) you want to secure with the certificate. For example: appcenter.example.com.
    Organization Full legal name of your organization, including the corporate identifier.
    Organization Unit (OU) Your department. For example: Information Technology or Website Security.
    City or Locality Locality or city where your organization is legally incorporated. Do not abbreviate.
    Country Official two-letter country code where your organization is legally incorporated. For example: US or CH.
    State or Province State or province where your organization is legally incorporated. Do not abbreviate.

    For example:

    $ openssl req -out server.csr -newkey rsa:2048 -nodes -keyout server.key -config san.cnf
    Generating a 2048 bit RSA private key
    ......................+++
    ...............................+++
    writing new private key to 'private.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) []:AA
    State or Province Name (full name) []:BB
    Locality Name (eg, city) []:CC
    Organization Name (eg, company) []:Example
    Common Name (e.g. server FQDN or YOUR name) []:appcenter.example.com
    You are not required to enter a password or passphrase. This optional field is for applying additional security to your key pair.
  4. Provide the server.csr to the certificate authority to get a signed certificate. Make sure that you get the root and intermediate certificates from the certificate authority. The certificate needs to have the following order:
    -----BEGIN MY CERTIFICATE-----
    -----END MY CERTIFICATE-----
    -----BEGIN INTERMEDIATE CERTIFICATE-----
    -----END INTERMEDIATE CERTIFICATE-----
    -----BEGIN ROOT CERTIFICATE-----
    -----END ROOT CERTIFICATE-----
  5. Rename the certificate received from certificate authority to tls.crt.
  6. Rename the server.key generated previously to tls.key.
  7. Make sure the certificates have the right permissions:
    $ chmod 400 tls.key

    $ chmod 400 tls.crt

  8. Place tls.crt and tls.key in the APPCTL_HOME directory:
    $ cp tls.crt $APPCTL_HOME
    $ cp tls.key $APPCTL_HOME