Kanaka 2.8: Generating And Signing Your Own Certificate

The purpose of this TID is to provide instruction on how to create, sign, install, and utilize a self-signed certificate in order to enable Apple Macintosh (MAC) clients to connect to the Kanaka 2.8 engine. 

SERVER CONFIGURATION

1. Create a Certificate Signing Request (CSR) utilizing the following OpenSSL command:
   openssl req -newkey rsa:2048 -keyout private.key -out server.csr
   
2. When prompted, answer each of the questions pertaining to the certificate:
   

   Question	Explanation
   Country Name (two-letter code)	The ISO 3166 two-letter country code pertaining to the country where Kanaka Engine is located.
   State or Province (full name)	The complete name of your state or province.
   Locality Name (such as the city)	The complete name of your city.
   Organization Name	The name of your company or organization.
   Organizational Unit	The name of your department (optional).
   Common Name*	The name of your server as resolved by DNS.
   Email Address	The email address of the certificate administrator.
   Challenge Password	Generally optional, but required by some third-party certificate providers.

   
   *Emphasis added. Please see corresponding "Explanation" field.
   
3. Copy the server.csr file to the desktop of the workstation or server that iManager will be launched from.
   
4. Open iManager > Novell Certificate Server > Issue Certificate. Browse the the server.csr file previously copied. Click Next.
   
5. Utilize the following, basic settings (minimum). Select SSL or TLS and leave the other default settings:
   
   
   
   
6. On Step 3 of 6, leave the default settings and click NEXT
   
7. On Step 4 of 6, choose the "Validity Period" desired and click NEXT
   
8. On Step 5 of 6, choose the DER format to export the signed certificate in and click NEXT
   
9. On Step 6 of 6 click FINISH and download the certificate (server.der)
   
10. Copy the server.der to the directory where your CSR was stored.
    
11. At the command line, convert the certificate to PEM format:
    openssl x509 -inform DER -outform PEM -in server.der -out kanaka.pem
    
12. Remove the passphrase or password from the certificate:
    openssl x509 -in kanaka.pem -out insecure.kanaka.pem
    
13. Decrypt the private key (The private key is encrypted by default and needs to be decrypted for the Kanaka Engine to use):
    openssl rsa -in private.key -out decrypted.private.key
    
    NOTE: You will be prompted for your pass phrase that was used to setup the private key
    
14. Remove the passphrase or password from the certificate:
    openssl rsa -in decrypted.private.key -out insecure.decrypted.private.key
    
15. Create the server.pem file with both the private key and certificate files:
    cat insecure.decrypted.private.key insecure.kanaka.pem > server.pem
    
16. Copy the server.pem file to the following location and start the kanaka engine:
    /etc/opt/novell/kanaka/engine/config
    

1. Open iManager > NOVELL CERTIFICATE ACCESS > SERVER CERTIFICATES
   
2. Check the box next to "SSL CertificateDNS" and click "Export"
   
3. In the CERTIFICATES pull-down menu, select "O=<treename>.OU=Organizational CA".  This will automatically deselect the "Export private key" option:
   
   
4. Choose the default export format of "DER" > NEXT > SAVE THE EXPORTED CERTIFICATE.  Note the name and location of the exported trusted root certificate file.
   

Import trusted root certificate into MAC's System Keychain

1. From the MAC, open the keychain access.app
   
2. Click on FILE > IMPORT ITEMS
   
3. Navigate to the location of the exported trusted root certificate file.
   
4. Select the file and for the DESTINATION KEYCHAIN be sure to select SYSTEM.
   
5. Click OPEN, accept the defaults and click
   
6. Locate the root certificate authority in the SYSTEM KEYCHAIN called "Organizational CA"
   
7. Ensure that it says "Root certificate authority" and "This certificate is marked as trusted for all users"
   
8. Reboot