他因tomer Internal CA
This directory contains the internal certificate authority(CA)related scripts help to create own (test) CA and certificates.
Table of contents
- 他因tomer Internal CA
Prerequisites
We should download the docker-compose template: [Download]
Right now we will useeasyrsa3helper tool. This tool usesopenssl, so it needs to be installed, if you do not use some Linux vendor packaged edition. The helper script calledprepare-cust-ca.shneeds an additional tool calledyqto change parts ofdocker-compose.ymlYAML file. Please make sure the downloaded version is as fresh as available!
Install on Debian/Ubuntu
sudo add-apt-repository ppa:rmescandon/yq sudo apt-get update sudo apt-get install easy-rsa yqInstall on Fedora/Centos/RedHat
sudo curl - l - o /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/3.4.1/yq_linux_amd64 sudo chmod a+x /usr/local/bin/yq sudo yum install epel-release sudo yum makecache sudo yum install easy-rsaInstall on OpenSuse/SLES
sudo curl - l - o /usr/local/bin/yq https://github.com/mikefarah/yq/releases/download/3.4.1/yq_linux_amd64 sudo chmod a+x /usr/local/bin/yq sudo zypper refresh sudo zypper install easy-rsaInstall on Alpine
MIRROR_URL=$(grep "main$" /etc/apk/repositories|sed -e 's#\(.*\/alpine\)/.*$#\1#') echo "$MIRROR_URL/edge/community" >> /etc/apk/repositories apk update apk install easy-rsa yqCreate the PKI infrastructure
To create custom Public Key Infrastructure (PKI), we should create a new CA, and create server certificates, and sign with the created CA
Creating directory to start the process
The first step is creating the PKI infrastructure.
Warning!All steps needs to start inside of freshly created directory.
make-cadir ca-dir cd ca-dir ./easyrsa init-pki他因tomize thevarsfile
We should change these parameters:
... set_var EASYRSA_DN "org" ... set_var EASYRSA_REQ_COUNTRY "US" set_var EASYRSA_REQ_PROVINCE "California" set_var EASYRSA_REQ_CITY "Los Angeles" set_var EASYRSA_REQ_ORG "Example Startup Company" set_var EASYRSA_REQ_EMAIL "it@examplestartup.com" set_var EASYRSA_REQ_OU "IT Sec group" ... set_var EASYRSA_CA_EXPIRE 3650 ... set_var EASYRSA_CERT_EXPIRE 1080 ... set_var EASYRSA_NS_SUPPORT "yes" ... set_var EASYRSA_NS_COMMENT "" ...Create new CA
If thevarsfile changed well, the only important question is aboutCommon Name(CN) of the CA.
./easyrsa build-ca nopassCreate new Server certificate
Here the script also asks aboutCN, please be careful with this. Using wildcard (for ex.:*.examplestartup.com) here is also allowed.
./easyrsa gen-req server nopassSign server certificate with CA
./easyrsa sign-req server serverCopy the created certificates
We should create a directory calledsslnext todocker-compose.yaml, copy the files like this example, and set the needed permissions:
mkdir -p ssl cp ca-dir/pki/private/server.key ssl/private.key cp ca-dir/pki/issued/server.crt ssl/certificate.crt cat ca-dir/pki/ca.crt >> ssl/certificate.crt chmod -R a+r ssl/ chmod a+w ssl/Preparing the.envanddocker-compose.yml
If we want to use the certificates in SSL, we need some change in.envand indocker-compose.ymlas well.
Changes indocker-compose.yml
We can use theprepare-cust-ca.shshell script, which can extend thedocker-compose.ymlfile with the needed options. It will change some part of the.envfile as well.
Changes in.envfile
We should edit the file, and change lines like this, if it needs:
... # Public domain of the deployment PUBLIC_DOMAIN=platform.examplestartup.com # Public URL of the deployment that will be used for external access (Public domain + protocol + port) PUBLIC_URL=https://platform.examplestartup.com # Public URL of the SSO endpoint that will be used for external access. In most cases it should be the same as the PUBLIC_URL SSO_PUBLIC_URL=https://platform.examplestartup.com ... JHUB_CUSTOM_CA_CERTS=/full/path/to/platform/ssl/deb_cacerts/Warning!JHUB_CUSTOM_CA_CERTSmust contains the full path of your platform directory, plusssl/deb_cacerts/subdirectory.
Starting the platform
The starting process is the same as documented in theofficial documentation.
Steps after deployment or deployment errors
Delete previously created subdirs
If we want to restart the certificate transformation part of RapidMiner Initialization service, we should remove the created subdirs:
sudo rm -fr ssl/deb_cacerts/ sudo rm -fr ssl/java_cacerts/ sudo rm -fr ssl/rh_cacerts/