You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficcontrol.apache.org by ne...@apache.org on 2017/04/19 21:41:23 UTC
[2/3] incubator-trafficcontrol git commit: Added manual procedure for
generating dev and prod certs in traffic ops install wiki.
Added manual procedure for generating dev and prod certs in traffic ops install wiki.
Project: http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/commit/16fa0ea8
Tree: http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/tree/16fa0ea8
Diff: http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/diff/16fa0ea8
Branch: refs/heads/master
Commit: 16fa0ea8835adabd64a9fe4e378762bee86af35b
Parents: 6760d23
Author: Robert Scrimo <ro...@comcast.com>
Authored: Mon Mar 27 16:28:08 2017 -0600
Committer: David Neuman <da...@gmail.com>
Committed: Wed Apr 19 15:40:56 2017 -0600
----------------------------------------------------------------------
docs/source/admin/traffic_ops_install.rst | 103 +++++++++++++++++++++++++
1 file changed, 103 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/incubator-trafficcontrol/blob/16fa0ea8/docs/source/admin/traffic_ops_install.rst
----------------------------------------------------------------------
diff --git a/docs/source/admin/traffic_ops_install.rst b/docs/source/admin/traffic_ops_install.rst
index ca49461..6f9b4de 100644
--- a/docs/source/admin/traffic_ops_install.rst
+++ b/docs/source/admin/traffic_ops_install.rst
@@ -379,3 +379,106 @@ To upgrade:
2. Enter the following command:``yum upgrade traffic_ops``
3. See :ref:`rl-ps` to run postinstall.
4. Enter the following command:``service traffic_ops start``
+
+Manually Generating and Installing the SSL Certificate
+------------------------------------------------------
+
+.. Note:: This section is valid for traffic-control 2.0.0 and later.
+
+Self-signed Certificate (Development)
+=====================================
+
+ Example Procedure::
+
+ $ openssl genrsa -des3 -passout pass:x -out localhost.pass.key 2048
+ Generating RSA private key, 2048 bit long modulus
+ ...
+ $ openssl rsa -passin pass:x -in localhost.pass.key -out localhost.key
+ writing RSA key
+ $ rm localhost.pass.key
+
+ $ openssl req -new -key localhost.key -out localhost.csr
+ You are about to be asked to enter information that will be incorporated
+ into your certificate request.
+ What you are about to enter is what is called a Distinguished Name or a DN.
+ There are quite a few fields but you can leave some blank
+ For some fields there will be a default value,
+ If you enter '.', the field will be left blank.
+ -----
+ Country Name (2 letter code) [XX]:US<enter>
+ State or Province Name (full name) []:CO<enter>
+ Locality Name (eg, city) [Default City]:Denver<enter>
+ Organization Name (eg, company) [Default Company Ltd]: <enter>
+ Organizational Unit Name (eg, section) []: <enter>
+ Common Name (eg, your name or your server's hostname) []: <enter>
+ Email Address []: <enter>
+
+ Please enter the following 'extra' attributes
+ to be sent with your certificate request
+ A challenge password []: pass<enter>
+ An optional company name []: <enter>
+ $ openssl x509 -req -sha256 -days 365 -in localhost.csr -signkey localhost.key -out localhost.crt
+ Signature ok
+ subject=/C=US/ST=CO/L=Denver/O=Default Company Ltd
+ Getting Private key
+ $ sudo cp localhost.crt /etc/pki/tls/certs
+ $ sudo cp localhost.key /etc/pki/tls/private
+ $ sudo chown trafops:trafops /etc/pki/tls/certs/localhost.crt
+ $ sudo chown trafops:trafops /etc/pki/tls/private/localhost.key
+
+Certificate from Certificate Authority (Production)
+===================================================
+
+.. Note:: You will need to know the appropriate answers below when generating the certificate request file `trafficopss.csr` below.
+
+ Example Procedure::
+
+ $ openssl genrsa -des3 -passout pass:x -out trafficops.pass.key 2048
+ Generating RSA private key, 2048 bit long modulus
+ ...
+ $ openssl rsa -passin pass:x -in trafficops.pass.key -out trafficops.key
+ writing RSA key
+ $ rm localhost.pass.key
+
+ Generate the Certificate Signing Request (CSR) file needed for Certificate Authority (CA) request.
+
+ $ openssl req -new -key trafficops.key -out trafficops.csr
+ You are about to be asked to enter information that will be incorporated
+ into your certificate request.
+ What you are about to enter is what is called a Distinguished Name or a DN.
+ There are quite a few fields but you can leave some blank
+ For some fields there will be a default value,
+ If you enter '.', the field will be left blank.
+ -----
+ Country Name (2 letter code) [XX]: <enter country code>
+ State or Province Name (full name) []: <enter state or province>
+ Locality Name (eg, city) [Default City]: <enter locality name>
+ Organization Name (eg, company) [Default Company Ltd]: <enter organization name>
+ Organizational Unit Name (eg, section) []: <enter organizational unit name>
+ Common Name (eg, your name or your server's hostname) []: <enter server's hostname name>
+ Email Address []: <enter e-mail address>
+
+ Please enter the following 'extra' attributes
+ to be sent with your certificate request
+ A challenge password []: <enter challenge password>
+ An optional company name []: <enter>
+ $ sudo cp trafficops.key /etc/pki/tls/private
+ $ sudo chown trafops:trafops /etc/pki/tls/private/trafficops.key
+
+ You must then take the output file trafficops.csr and submit a request to your Certificate Authority (CA).
+ Once you get approved and receive your trafficops.crt file:
+
+ $ sudo cp trafficops.crt /etc/pki/tls/certs
+ $ sudo chown trafops:trafops /etc/pki/tls/certs/trafficops.crt
+
+ If necessary, install the CA certificates .pem and .crt in /etc/pki/tls/certs.
+
+ You will need to update the file /opt/traffic_ops/app/conf/cdn.conf with the following changes:
+ ...
+ e.g. given trafficops.crt and trafficops.key
+ 'hypnotoad' => ...
+ 'listen' => 'https://[::]:443?cert=/etc/pki/tls/certs/trafficops.crt&key=/etc/pki/tls/private/trafficops.key&ca=/etc/pki/tls/certs/localhost.ca&verify=0x00&ciphers=AES128-GCM-SHA256:HIGH:!RC4:!MD5:!aNULL:!EDH:!ED'
+ ...
+
+
+