4.00.00 Analytics Security Provider Advanced Installation Guide (Linux) Rev01

Certificate Authority Directory Structure

CA Directory
File	Description
CERT_ROOT_DIRECTORY/CA	Directory for the CA files.
CERT_ROOT_DIRECTORY/CA/ca.crt	The CA root public key in PEM format. This is used to create truststore files or can be imported in web browsers to establish trust for certificates signed by this CA.
CERT_ROOT_DIRECTORY/CA/index.txt	A book keeping file used by OpenSSL.
CERT_ROOT_DIRECTORY/CA/index.txt.attr	A book keeping file used by OpenSSL.
CERT_ROOT_DIRECTORY/CA/serial	A book keeping file used by OpenSSL.
CERT_ROOT_DIRECTORY/CA/private/ca.key	The CA root private key in PEM format. This is used to sign certificates.

For example:

./create-ca.sh password

        1 file(s) copied.

        1 file(s) copied.

Generating a RSA private key

...+++++

.....................................................................+++++

writing new private key to '.fta-ca\CA\private\ca.key'

-----

Successfully processed 1 files; Failed processing 0 files

Successfully processed 1 files; Failed processing 0 files

Successfully processed 0 files; Failed processing 0 files

.fta-ca\CA\private\ca.key NT AUTHORITY\SYSTEM:(F)

                          BUILTIN\Administrators:(F)

Successfully processed 1 files; Failed processing 0 files

Certificate:

    Data:

Version: 3 (0x2)

        Serial Number:

            0d:63:97:b9:e0:8f:bb:b7:61:7c:ca:b8:7b:b9:48:9e:ac:2d:c2:fe

        Signature Algorithm: sha256WithRSAEncryption

        Issuer: C = US, ST = CA, L = San Jose, O = Acme Widgets, CN = FactoryTalk Analytics Priva

        Validity

            Not Before: Dec 18 12:38:38 2018 GMT

            Not After : Dec 15 12:38:38 2028 GMT

        Subject: C = US, ST = CA, L = San Jose, O = Acme Widgets, CN = FactoryTalk Analytics Priv

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                RSA Public-Key: (2048 bit)

                Modulus:

                    00:9d:1a:09:66:61:fb:e4:82:67:db:86:25:4e:9e:

                    dd:49:61:63:f1:e2:0d:37:b4:30:f0:9c:f4:6d:c2:

                    dc:87:f9:17:e8:58:ad:ab:3e:80:18:e8:7e:4f:ba:

                    6f:c4:94:98:9b:bd:27:e7:19:7c:aa:ef:97:9b:73:

                    a2:0e:d4:6b:b6:97:20:9b:58:8a:79:0a:36:3c:c1:

4d:2e:6c:1a:9d:93:aa:8c:c0:58:bb:c8:4d:56:fa:

                    a4:43:06:e0:bb:57:d4:97:ec:bc:3d:d9:4c:fa:15:

                    73:da:49:2e:42:2c:77:66:1f:20:d3:d3:10:1d:82:

                    d5:e9:a9:ed:88:01:a1:0b:96:64:b1:58:21:ba:33:

                    03:0b:fa:2b:d4:51:e9:3f:c7:71:e7:2e:b9:0c:43:

                    3e:8c:75:42:7a:2f:8b:01:45:6b:04:71:64:04:9c:

 04:d8:a2:8c:e8:f1:a8:ca:06:d5:14:f4:b4:96:ad:

                    f8:d6:9e:59:21:6c:4e:af:96:f7:76:e5:2d:28:ea:

                    3c:2b:b3:f1:84:aa:9b:21:30:46:37:7b:49:28:33:

                    93:ab:c1:0a:c4:11:de:79:1c:fc:31:b6:1d:f1:9f:

                    73:9c:57:53:fc:39:30:5b:23:1a:4b:c8:8f:95:66:

                    d8:e8:9e:6d:eb:16:e9:f7:32:ad:67:e5:7c:9e:b7:

                    ac:1f

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Basic Constraints: critical

                CA:TRUE

            X509v3 Subject Key Identifier:

                5B:BE:C9:9C:A2:CB:E7:DB:A6:56:3D:6D:DA:21:E2:26:2C:D4:AE:93

            X509v3 Authority Key Identifier:

                keyid:5B:BE:C9:9C:A2:CB:E7:DB:A6:56:3D:6D:DA:21:E2:26:2C:D4:AE:93

                DirName:/C=US/ST=CA/L=San Jose/O=Acme Widgets/CN=FactoryTalk Analytics Private CA

seri al:0D:63:97:B9:E0:8F:BB:B7:61:7C:CA:B8:7B:B9:48:9E:AC:2D:C2:FE

            X509v3 Key Usage:

                Certificate Sign, CRL Sign

            X509v3 Issuer Alternative Name:

                <EMPTY>

            X509v3 Subject Alternative Name: critical

                DNS:acme-widgets.com

    Signature Algorithm: sha256WithRSAEncryption

         07:dc:e5:b7:00:db:4e:b8:5d:e2:de:d4:2f:0c:9e:dc:06:4e:

         6f:54:a8:8e:df:fc:b7:c4:41:c7:0b:e8:d8:36:39:72:27:21:

         3f:7f:36:96:59:19:cf:5a:63:18:bd:2f:8f:0b:c9:d6:1a:5a:

         23:25:f9:69:62:28:df:19:4a:bc:b7:ae:61:83:49:c0:33:29:

         0f:cf:37:f4:61:fe:6e:25:cc:af:b2:0c:dc:de:f4:c9:cb:a7:

         6d:8e:05:38:bc:04:83:36:72:ae:d8:79:b3:71:2a:3b:4d:c7:

         9f:fa:54:05:9c:5f:cc:92:91:86:80:e2:47:e0:1f:2c:91:37:

         84:36:fb:55:d6:6b:3c:38:f1:b1:17:cb:01:90:c2:27:e8:ce:

         4a:1f:05:01:92:e7:1f:b5:2e:9c:6f:4d:f4:1d:98:cd:76:b0:

         7b:66:9c:ae:b6:22:3c:f8:98:07:56:c3:b2:be:67:51:fe:19:

         3c:d9:e1:15:b6:ea:0c:19:78:29:7a:3e:3a:49:62:86:a2:24:

         78:54:4c:24:1a:23:ee:d0:fa:64:65:90:fa:69:94:eb:e5:44:

         aa:d9:08:3d:ee:23:e4:fc:c6:37:e1:98:93:e6:9b:65:04:d9:

         4b:21:a5:ff:c4:db:03:b4:f5:9d:eb:15:04:35:58:3c:2d:5e:

         4c:04:c9:0b

-----BEGIN CERTIFICATE-----

MIIEiTCCA3GgAwIBAgIUDWOXueCPu7dhfMq4e7lInqwtwv4wDQYJKoZIhvcNAQEL

BQAwbzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMREwDwYDVQQHDAhTYW4gSm9z

ZTEVMBMGA1UECgwMQWNtZSBXaWRnZXRzMSkwJwYDVQQDDCBGYWN0b3J5VGFsayBB

bmFseXRpY3MgUHJpdmF0ZSBDQTAeFw0xODEyMTgxMjM4MzhaFw0yODEyMTUxMjM4

MzhaMG8xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTERMA8GA1UEBwwIU2FuIEpv

c2UxFTATBgNVBAoMDEFjbWUgV2lkZ2V0czEpMCcGA1UEAwwgRmFjdG9yeVRhbGsg

QW5hbHl0aWNzIFByaXZhdGUgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK

AoIBAQCdGglmYfvkgmfbhiVOnt1JYWPx4g03tDDwnPRtwtyH+RfoWK2rPoAY6H5P

um/ElJibvSfnGXyq75ebc6IO1Gu2lyCbWIp5CjY8wU0ubBqdk6qMwFi7yE1W+qRD

BuC7V9SX7Lw92Uz6FXPaSS5CLHdmHyDT0xAdgtXpqe2IAaELlmSxWCG6MwML+ivU

Uek/x3HnLrkMQz6MdUJ6L4sBRWsEcWQEnATYoozo8ajKBtUU9LSWrfjWnlkhbE6v

lvd25S0o6jwrs/GEqpshMEY3e0koM5OrwQrEEd55HPwxth3xn3OcV1P8OTBbIxpL

yI+VZtjonm3rFun3Mq1n5Xyet6wfAgMBAAGjggEbMIIBFzAPBgNVHRMBAf8EBTAD

AQH/MB0GA1UdDgQWBBRbvsmcosvn26ZWPW3aIeImLNSukzCBrAYDVR0jBIGkMIGh

gBRbvsmcosvn26ZWPW3aIeImLNSuk6FzpHEwbzELMAkGA1UEBhMCVVMxCzAJBgNV

BAgMAkNBMREwDwYDVQQHDAhTYW4gSm9zZTEVMBMGA1UECgwMQWNtZSBXaWRnZXRz

MSkwJwYDVQQDDCBGYWN0b3J5VGFsayBBbmFseXRpY3MgUHJpdmF0ZSBDQYIUDWOX

ueCPu7dhfMq4e7lInqwtwv4wCwYDVR0PBAQDAgEGMAkGA1UdEgQCMAAwHgYDVR0R

AQH/BBQwEoIQYWNtZS13aWRnZXRzLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEAB9zl

twDbTrhd4t7ULwye3AZOb1Sojt/8t8RBxwvo2DY5cichP382llkZz1pjGL0vjwvJ

1hpaIyX5aWIo3xlKvLeuYYNJwDMpD8839GH+biXMr7IM3N70ycunbY4FOLwEgzZy

rth5s3EqO03Hn/pUBZxfzJKRhoDiR+AfLJE3hDb7VdZrPDjxsRfLAZDCJ+jOSh8F

AZLnH7UunG9N9B2YzXawe2acrrYiPPiYB1bDsr5nUf4ZPNnhFbbqDBl4KXo+Okli

hqIkeFRMJBoj7tD6ZGWQ+mmU6+VEqtkIPe4j5PzGN+GYk+abZQTZSyGl/8TbA7T1

nesVBDVYPC1eTATJCw==

-----END CERTIFICATE-----

subject=C = US, ST = CA, L = San Jose, O = Acme Widgets, CN = FactoryTalk Analytics Private CA

issuer=C = US, ST = CA, L = San Jose, O = Acme Widgets, CN = FactoryTalk Analytics Private CA

Sign Certificate
File	Description
CERT_ROOT_DIRECTORY/certs/fta_truststore.jks	A Java truststore file containing the public root certificate for the CA. This is created once.
CERT_ROOT_DIRECTORY/certs/host-fqdn.crt	The public key for the host in PEM format.
CERT_ROOT_DIRECTORY/certs/ host-fqdn.csr	The certificate signing request (CSR) for host’s certificate.
CERT_ROOT_DIRECTORY/certs/ host-fqdn.jks	The Java keystore contain the host’s private key.
CERT_ROOT_DIRECTORY/certs/ host-fqdn.key	The host’s private key.
CERT_ROOT_DIRECTORY/certs/ host-fqdn.p12	The host’s private key in PKCS 12 format. This file is used to create the Java keystore.
CERT_ROOT_DIRECTORY/certs/ host-fqdn.pem	This is the certificate chain for the host certificate in PEM format. It is the concatenation of the root public key for the CA and the public key for the host certificate.

For example:

./create-certificate.sh host1.acme-widgets.com password kpassword tpassword

Generating RSA private key, 2048 bit long modulus (2 primes)

.....................................................+++++

..........................................................+++++

e is 65537 (0x010001)

Using configuration from ./openssl.cnf

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follows

countryName           :PRINTABLE:'US'

stateOrProvinceName   :ASN.1 12:'CA'

localityName          :ASN.1 12:'San Jose'

organizationName      :ASN.1 12:'Acme Widgets'

commonName            :ASN.1 12:'acme-widgets.com'

Certificate is to be certified until Dec 17 13:08:37 2020 GMT (730 days)

Write out database with 1 new entries

Data Base Updated

.fta-ca\certs\host1.acme-widgets.com.crt

.fta-ca\CA\ca.crt

.fta-ca\CA\ca.crt

        1 file(s) copied.

Certificate was added to keystore

[Storing .fta-ca\certs\fta_truststore.jks]

FTA Security Scripts

Provide Feedback

Have questions or feedback about this documentation? Please submit your feedback here.