Self-Signed Certificate Generation
Self-signed certificates are not recommended to be used in production environments. For production environments, it is advisable to use a trusted certificate issuer. This section outlines a practical way to generate a self-signed certificate for test and demo purposes. |
The NOM Server contains a utility to generate a self-signed certificate suitable for your environment.
To invoke the utility and get help on usage, navigate to the NOM Server folder and execute the following command:
$> java -jar ./lib/server.jar ssc --help
utility to generate self signed certificate for TEST purposes only
sample usage:
to generate a self signed certificate for 'localhost', which could either be
accessed through DNS names of 'localhost.localdomain' or 'my.custom.domain', or
with IP addresses of '127.0.0.1' or '192.168.100.5';
$> java -jar ./lib/server.jar ssc -n localhost -o /tmp -p changeit \
-d localhost.localdomain,my.custom.domain \
-i 127.0.0.1,192.168.100.5
it creates /tmp/localhost.cer and /tmp/localhost.pfx files upon completion.
options (required options marked with *):
-d, --dns=<dns>[,<dns>...]
list of dns names to use to access the
server, eg. --dns=localhost.localdomain,test.
local.domain
-i, --ip=<ip>[,<ip>...] list of IP addresses to use to access the
server, eg. --ip=127.0.0.1,192.168.100.55
* -n, --name=<name> common name to use in generated certificate,
eg. --name=localhost
* -o, --output=<output> target directory, eg. --output=.
* -p, --password=<password> password for generated PKCS12 file
-h, --help help
If you are generating a certificate for running the server on localhost
, localhost
is the primary name set as Subject Name field on the certificate and is also used as the name of generated files.
For the certificate to be identified as valid, it also needs to include alternative names used to access the server.
Assume there are also a number of virtual machines that access the server through IP addresses 192.168.10.1
and 172.16.10.1
.
Furthermore, a local DNS alias nom.example.com
is set up for localhost
.
In order to generate a self-signed certificate for the above example, execute the following command;
java -jar ./lib/server.jar ssc -n localhost \
-o ./certificates \
-p changeit \
-d nom.example.com \
-i 192.168.10.1,172.16.10.1
It generates a key pair and a self-signed certificate and creates localhost.cer
and localhost.pfx
files inside ./certificates
directory.
localhost.pfx
is assigned the password changeit
which is provided to the command as an argument.
You can then use these two files to configure the server and agents for TLS encrypted communication.
Was this page helpful?