To generate a self-signed certificate, you must use the openssl
utility
to generate a private key and a self-signed certificate for that key.
About this task
The Discover-DNCA
package provides the
openssl utility in the directory /usr/local/dncauser/bin
.
The
following steps assume that you logged in to the DNCA
host machine as user root. To generate a self-signed certificate:
Procedure
- Generate the private key. The following example generates
a 2048-bit RSA key file named
example.key
:
/usr/local/dncauser/bin/openssl genrsa -out example.key 2048
- Generate the self-signed certificate. The following example
generates a self-signed certificate file named
example.crt
by
using the private-key file example.key
generated
in step 1. With option -days 365
, the certificate
is valid for the next 365 days (one year):
/usr/local/dncauser/bin/openssl req -x509 -days 365 -newkey rsa:2048 -key \
example.key -out example.crt
The openssl req
command interactively
prompts for various values. The following table displays the prompts
and sample replies:
- Prompt
- Sample Reply
- Country Name (2 letter code)
US
- State or Province Name (full name)
California
- Locality Name (for example, city)
San Francisco
- Organization Name (for example, company)
Unica Discover
- Organizational Unit Name (for example, section)
Release Engineering
- Common Name (for example, YOUR name)
DNCA.Discover.com
- Email Address
root@DNCA.Discover.com
The common name must be the fully qualified DNS
name of the DNCA host machine. If the host machine does
not have a DNS name that is assigned to it, then use the IP address
of the machine.
- Now, set the appropriate file ownership and permissions:
- All private key files must be readable only by the user
account that needs read access to the file. The following
chmod
and chown
commands
set the ownership and permissions so that only the capture processes
running as user dncauser
can access file example.key
:
chmod go= example.key
chown dncauser example.key
-
Place the files in a directory accessible by the user account. For certificate and
key files that are used by the Network Capture software, place the files in directory
/usr/local/dncauser/etc
.