3.5 Generating Certificates

Novell Kanaka for Mac 2.8.2 now requires you to provide an x.509 certificate signed by a well-known certificate authority. The certificate must be in Privacy Enhanced Mail (PEM) format and must be installed in the appropriate secured location where the Kanaka Engine is running.

3.5.1 Certificate Types

There are two ways of obtaining a trusted certificate. Each method has its pros and cons.

Create a certificate signing request, and have your internal eDirectory certificate authority (CA) sign the certificate. This is referred to as an internal CA.
Create a certificate signing request, and have a trusted third-party certificate authority (CA) sign the certificate. This is referred to as an external CA.

Table 3-1 Internal and External Certificate Authority Considerations

Certificate Authority	Pros	Cons
Internal	Free The expiration date can be extended much further than one issued by an external CA.	You need to install the certificate on each Mac workstation running Novell Kanaka for Mac 2.8.2.
External	The trusted root is already trusted by the Mac OS X workstation.	You must depend on a third-party certificate provider. The certificate can be expensive. The certificate normally expires in one or two years.

If you decide to use an external CA, you can obtain a list of CAs that are already trusted from your workstation by going to the Keychain Access and viewing the System Roots.

Figure 3-1 List of Trusted Certificate Authorities

3.5.2 Creating a PEM File

A PEM file is a Base64 ASCII file containing both the certificate and the private key. It is used by the Kanaka Engine for encryption.

IMPORTANT:Be sure to store all your certificates in a secure location.

At the server that will host the Kanaka Engine, launch a terminal session.
Create a private key and certificate signing request via OpenSSL.

The following command uses OpenSSL to create your private key and certificate signing request (CSR) with a single command.

openssl req –newkey rsa:2048 –keyout private.key –out server.csr

When prompted, answer each of the questions pertaining to the certificate.

Question	Explanation
Country Name (two-letter code)	The ISO 3166 two-letter country code pertaining to the country where Kanaka Engine is located.
State or Province (full name)	The complete name of your state or province.
Locality Name (such as the city)	The complete name of your city.
Organization Name	The name of your company or organization.
Organizational Unit	The name of your department (optional).
Common Name	The name of your server.
Email Address	The email address of the certificate administrator.
Challenge Password	Generally optional, but required by some third-party certificate providers.

Submit the server.csr contents to the certificate authority of your choosing.

The certificate authority creates a certificate based the contents of the CSR file you created in Step 2. The certificate authority creates the certificate in one of many formats, such as DER, CER, CRT, or PEM. You can use any of these formats to produce the final PEM format that Novell Kanaka for Mac will use.
Convert the certificate to PEM format:

openssl x509 –inform DER –outform PEM –in certificate.crt -out certificate.pem
Remove the passphrase or password from the certificate:

openssl x509 –in certificate.pem -out insecure.certificate.pem
Decrypt the private key:

openssl rsa –in private.key -out decrypted.private.key

The private key is encrypted by default and needs to be decrypted for the Kanaka Engine to use.
Remove the passphrase or password from the certificate:

openssl rsa –in decrypted.private.key -out insecure.decrypted.private.key
Create the server.pem file with both the private key and certificate files:

cat insecure.decrypted.private.key insecure.certificate.pem > server.pem

The output file must be named server.pem.

For example:
Proceed with Section 5.0, Installing and Configuring the Engine.