Novell Kanaka for Mac 2.8.2 now requires you to provide an x.509 certificate signed by a well-known certificate authority. The certificate must be in Privacy Enhanced Mail (PEM) format and must be installed in the appropriate secured location where the Kanaka Engine is running.
There are two ways of obtaining a trusted certificate. Each method has its pros and cons.
Create a certificate signing request, and have your internal eDirectory certificate authority (CA) sign the certificate. This is referred to as an internal CA.
Create a certificate signing request, and have a trusted third-party certificate authority (CA) sign the certificate. This is referred to as an external CA.
Table 3-1 Internal and External Certificate Authority Considerations
Certificate Authority |
Pros |
Cons |
---|---|---|
Internal |
|
|
External |
|
|
If you decide to use an external CA, you can obtain a list of CAs that are already trusted from your workstation by going to the Keychain Access and viewing the System Roots.
Figure 3-1 List of Trusted Certificate Authorities
A PEM file is a Base64 ASCII file containing both the certificate and the private key. It is used by the Kanaka Engine for encryption.
IMPORTANT:Be sure to store all your certificates in a secure location.
At the server that will host the Kanaka Engine, launch a terminal session.
Create a private key and certificate signing request via OpenSSL.
The following command uses OpenSSL to create your private key and certificate signing request (CSR) with a single command.
openssl req –newkey rsa:2048 –keyout private.key –out server.csr
When prompted, answer each of the questions pertaining to the certificate.
Question |
Explanation |
---|---|
Country Name (two-letter code) |
The ISO 3166 two-letter country code pertaining to the country where Kanaka Engine is located. |
State or Province (full name) |
The complete name of your state or province. |
Locality Name (such as the city) |
The complete name of your city. |
Organization Name |
The name of your company or organization. |
Organizational Unit |
The name of your department (optional). |
Common Name |
The name of your server. |
Email Address |
The email address of the certificate administrator. |
Challenge Password |
Generally optional, but required by some third-party certificate providers. |
Submit the server.csr contents to the certificate authority of your choosing.
The certificate authority creates a certificate based the contents of the CSR file you created in Step 2. The certificate authority creates the certificate in one of many formats, such as DER, CER, CRT, or PEM. You can use any of these formats to produce the final PEM format that Novell Kanaka for Mac will use.
Convert the certificate to PEM format:
openssl x509 –inform DER –outform PEM –in certificate.crt -out certificate.pem
Remove the passphrase or password from the certificate:
openssl x509 –in certificate.pem -out insecure.certificate.pem
Decrypt the private key:
openssl rsa –in private.key -out decrypted.private.key
The private key is encrypted by default and needs to be decrypted for the Kanaka Engine to use.
Remove the passphrase or password from the certificate:
openssl rsa –in decrypted.private.key -out insecure.decrypted.private.key
Create the server.pem file with both the private key and certificate files:
cat insecure.decrypted.private.key insecure.certificate.pem > server.pem
The output file must be named server.pem.
For example:
Proceed with Section 5.0, Installing and Configuring the Engine.