Customizing .CSR file

Last Updated : Sep 29, 2022 |

About this task

Use this procedure to customize a .csr file generated for the default set of identity certificates for externally-facing interfaces. You can customize the following fields of the certificate: C (Country), ST (State), L (Locality), O (Organization), and OU (Organization Unit).

Procedure

  1. Log in to Cluster Control Manager.
  2. To create default .csr files, run the following command: 
    ccm release cert-manager third-party-certs --generate-service-csr --output-dir <output-directory>

    Eight default .csr files are created.

  3. To open each of the seven default .csr files and to verify its subject and subjectAltName (Subject Alternative Name) values, run the following commands: 
    
openssl req -text -noout -verify -in ccm-identity.pfx-ccm-identity.pfx.csr
openssl req -text -noout -verify -in ingressgateway-certificate-default-ingressgateway-idcert.csr
openssl req -text -noout -verify -in eventing-kafka-cp-zookeeper-kafkaconnectidcert.csr
openssl req -text -noout -verify -in eventing-kafka-cp-kafka-kafkaexternalidcert.csr
openssl req -text -noout -verify -in egressgateway-certificate-default-egressgateway-idcert.csr
openssl req -text -noout -verify -in orca-dbmgr-analyticsdb-primary-idcert.csr
openssl req -text -noout -verify -in orca-dbmgr-analyticsdb-replica-idcert.csr
  4. To create a file called CertInfoFile template, run the following commands: 
    # create the "Cert Info" File template
rm -rf ./template.txt;
echo '{' >> ./template.txt;
echo ' "keyAlgorithm": "RSA"' >> ./template.txt;
echo '}' >> ./template.txt;
  5. To create individual CertInfoFiles for service IDs, run the following commands: 
    # create the certInfoFiles
cp template.txt CCM-IGRESS-GATEWAY.certInfoFile;
cp template.txt CCM-EVENTING-KAFKA.certInfoFile;
cp template.txt CCM-EGRESS-GATEWAY.certInfoFile;
cp template.txt CCM-IDENTITY.certInfoFile;
cp template.txt CCM-EVENTING-KAFKA-ZOOKEEPER.certInfoFile;
cp template.txt ANALYTICSDB-PRIMARY.certInfoFile;
cp template.txt CCM-ALANYTICS-REPLICA.certInfoFile;
  6. Update the subject and subjectAltName information in each individual CertInfoFile.

    The following is a sample command for the CCM-IGRESS-GATEWAY.certInfoFile file:

    {
"subject": "C=US, ST=Colorado, L=Thornton, O=Avaya, CN=certmgmt-loadbalancer-service",
"subjectAltName": "dNSName=certmgmt-loadbalancer-service",
"keySize": "2048",
"keyAlgorithm": "RSA"
}
  7. To regenerate the .csr files using the updated individual CertInfoFile, run the following commands: 
    ccmcertmgr --generate-service-csr ingressgateway-certificate-default-ingressgateway-idcert CCM-IGRESS-GATEWAY.certInfoFile > CCM-IGRESS-GATEWAY.csr;
ccmcertmgr --generate-service-csr eventing-kafka-cp-kafka-kafkaexternalidcert CCM-EVENTING-KAFKA.certInfoFile > CCM-EVENTING-KAFKA.csr;
ccmcertmgr --generate-service-csr egressgateway-certificate-default-egressgateway-idcert CCM-EGRESS-GATEWAY.certInfoFile > CCM-EGRESS-GATEWAY.csr;
ccmcertmgr --generate-service-csr ccm-identity.pfx-ccm-identity.pfx CCM-IDENTITY.certInfoFile > CCM-IDENTITY.csr;
ccmcertmgr --generate-service-csr eventing-kafka-cp-zookeeper-kafkaconnectidcert CCM-EVENTING-KAFKA-ZOOKEEPER.certInfoFile > CCM-EVENTING-KAFKA-ZOOKEEPER.csr;
ccmcertmgr --generate-service-csr orca-dbmgr-analyticsdb-primary-idcert ANALYTICSDB-PRIMARY.certInfoFile > ANALYTICSDB-PRIMARY.csr;
ccmcertmgr --generate-service-csr orca-dbmgr-analyticsdb-replica-idcert ANALYTICSDB-REPLICA.certInfoFile > ANALYTICSDB-REPLICA.csr;
  8. To verify that the Subject and Subject Alternative Name information is updated in all the seven default .csr files, run the following commands: 
    openssl req -text -noout -verify -in CCM-IGRESS-GATEWAY.csr
openssl req -text -noout -verify -in CCM-EVENTING-KAFKA.csr
openssl req -text -noout -verify -in CCM-EGRESS-GATEWAY.csr
openssl req -text -noout -verify -in CCM-IDENTITY.csr
openssl req -text -noout -verify -in CCM-EVENTING-KAFKA-ZOOKEEPER.csr
openssl req -text -noout -verify -in ANALYTICSDB-PRIMARY.csr;
openssl req -text -noout -verify -in ANALYTICSDB-REPLICA.csr;
Related information
Certificate management