[MBH]_证书_生成客户自己的证书

谢军兵

背景：


MBH安装后默认有一套证书，SRG这边用的是他们自己的证书，不是默认安装出来的证书，下面整理了客户自己生成（更新）证书的方法；实际执行步骤如下中文，英文部分为提供给客户让客户自行执行的步骤，做了更详细分解


步骤：
1.修改/etc/haproxy/crt/v3.cnf文件，根据客户提供的信息修改文件内容，并重命名此文件，比如hive_crt.csr.cnf
2.执行下面命令生成csr文件，注意命令中涉及到的路径需要改成实际路径
openssl req -new -sha256 -nodes -out ./ssl/hive_crt.csr -newkey rsa:2048 -keyout ./ssl/hive_crt.key -config <( cat hive_crt.csr.cnf )
3.将csr文件提交给客户，客户生成证书后发回crt文件给我们，重命名此文件，如hive_crt.crt
4.参考以下命令生成pem文件，注意命令中涉及到的路径需要改成实际路径
cat ./ssl/hive_crt.crt ./ssl/hive_crt.key |tee ./ssl/hive_crt.pem
5.参考以下命令生成server.pfx文件，注意命令中涉及到的路径需要改成实际路径，过程中要求输入密码sobey
openssl pkcs12 -export -out ./ssl/server.pfx -inkey ./ssl/hive_crt.key -in ./ssl/hive_crt.crt
6.用生成的文件替换/etc/haproxy/crt/hive_crt.crt,hive_crt.key,hive_crt.pem
7.用生成的server.pfx替换/sobeyhive/app/jove/crt/server.pfx
8.重启haproxy/jove

下面是提供给客户的证书生成方法，可以参考

1.Find out the cnf file used, hive_crt.cnf  

2.Upload this file to  frameworknode01:/home/docker/certificate , you may need to first create this certificate folder  

3.Login to frameworknode01 by putty and change the current directory to target folder,  cd /home/docker/certificate  

4.run command openssl req -new -sha256 -nodes -out hive_crt.csr -newkey rsa:2048 -keyout hive_crt.key -config <( cat hive_crt.cnf )  

5.hhive_crt.csr and hive_crt.key will be generated  

6.run command openssl req -text -noout -in hive_crt.csr to check the content is correct or not  

7.send the hive_crt.csr to generate CRT file  

8.rename the received CRT file to hive_crt.crt  

9.upload hive_crt.crt to frameworknode01:/home/docker/certificate  

10.run command cat hive_crt.crt hive_crt.key |tee hive_crt.pem to generate pem file  

11.run command openssl pkcs12 -export -out server.pfx -inkey hive_crt.key -in hive_crt.crt to generate pfx file, input password sobey  

12.Then to replace the existing files(cnf/crt/pem/key/csr files) in /etc/haproxy/crt on all 3 framework servers  

13.Then to replace the existing files(cnf/crt/pem/key/csr files) in /etc/haproxy/crt on all platform servers  

14.Then to replace the exisitng server.pfx file in /sobeyhive/app/jove-XXX/Jove/certificate on all  content management servers, jove-XXX means the latest one   

15.Restart haproxy by command sudo service haproxy restart on all 3 framework server one by one  

16.Restart all Jove docker by script stop_jove.sh and start_jove.sh on all content management server one by one  

17.Restart nginx service on all platform servers by command sudo service nginx restart  

18.In the meantime IT should have distributed the certificate to all clients so they have the new certificate.