How to Replace the certificate for Service Management Automation

  • KM03114643
  • 09-Mar-2018
  • 17-Aug-2018

Summary

How to Replace the certificate for Service Management Automation

Question


There are 2 docs related to "Replace the certificates for Service Management Automation"https://docs.software.hpe.com/wiki/display/ITSMA201711H/Replace+the+certificates+for+Service+Management+Automation
https://docs.software.hpe.com/wiki/display/ITSMA201711X/Replace+the+certificate+for+Service+Management+Automation

Both docs step 1 is the same as below:
1.Generate a certificate and private key for the host on which the ingress service is running. Save the certificate and key on the master node.

It's not detailed enough, need to know how and where to generate a certificate and private key.

Answer

In order to generate a certificate and private key for itsma, customer need to get ssl crt and key first, usually need to pay extra money to buy the service from ssl provider.

Then you could use the tool OpenSSL to generate the crt and key used in itsma.

Below is an example provided:

1. Create private key that used in itsma suite

openssl genrsa -out shc-itsma-suite-cd-85.hpeswlab.net.key 4096

2. Create certificate signing request (CSR)

openssl req -new -key shc-itsma-suite-cd-85.hpeswlab.net.key -subj "/CN=shc-itsma-suite-cd-85.hpeswlab.net" -out shc-itsma-suite-cd-85.hpeswlab.net.csr

3. Create certificate that used in itsma suite

openssl x509 -sha256 -req -in shc-itsma-suite-cd-85.hpeswlab.net.csr -CA "/opt/kubernetes/ssl/ca.crt" -CAkey "/opt/kubernetes/ssl/ca.key" -CAcreateserial -out shc-itsma-suite-cd-85.hpeswlab.net.crt -days 365

Note: Amazon should provide -CA "/opt/kubernetes/ssl/ca.crt" -CAkey "/opt/kubernetes/ssl/ca.key"

4. Change the access permissions for the certificate and private key

chmod 0400 shc-itsma-suite-cd-85.hpeswlab.net.crt shc-itsma-suite-cd-85.hpeswlab.net.key