Wiki Admin

How to Use Self-Signed Certificates with DSS 6 - DSS 6 | Data Source Solutions Documentation

Export as HTML Export as PDF Export as DOCX
Edit

Documentation: How to Use Self-Signed Certificates with DSS 6 - DSS 6 | Data Source Solutions Documentation

How to Use Self-Signed Certificates with DSS 6

Question

How to use Self-Signed Certificates with DSS 6

Environment

DSS 6

Answer

Self-signed certificates allow you to establish secure connections within a private network without relying on public Certificate Authorities (CAs). For DSS 6, self-signed certificates provide a practical way to secure data transfers over the network, ensuring encrypted communication between systems without the need for external validation.

This guide outlines the steps to set up self-signed certificates for DSS 6. This includes creating a CA, generating self-signed certificates for the DSS Hub Server, and installing the root certificate on your machines.

Prerequisites

Before generating the CA and Hub Server certificates, ensure the following prerequisites are met:

  • Administrative (root) privileges
  • Access to a terminal or command prompt
  • OpenSSL installed
  • A text editor (such as vim, nano, or Notepad)

If you are unable to generate the CA or Hub Server certificates, contact your IT or system administrator for assistance.

Generate the CA and Hub Server Certificates

To generate the CA and Hub Server self-signed certificates, you can follow either of the two methods below - a step-by-step manual process or an automated bash script for faster setup.

Manual Steps

Perform the following steps to generate the CA and Hub Server self-signed certificates:

  1. Create a directory (e.g., /etc/ssl) for certificates:

    sudo mkdir -p /etc/ssl
cd /etc/ssl

All files generated in the following steps will be saved in this directory.

  1. Create the Certificate Authority (CA):

    1. Generate the CA’s private key (e.g., dss6.key):

      openssl genrsa -des3 -out dss6.key 2048

      When prompted, enter a password. Securely save this password, as you will need it to sign future certificates.

    2. Generate the CA’s public certificate (e.g., dss6.pem), valid for 1825 days:

      openssl req -x509 -new -nodes -key dss6.key -sha256 -days 1825 -out dss6.pem

      When prompted, enter the following details for the certificate:

      • Country Name (2-letter code, e.g., US)
      • State or Province Name (full name, e.g., California)
      • Locality Name (city, e.g., Oakland)
      • Organization Name (e.g., MyCompany)
      • Common Name (e.g., hubserver)
      • Email Address (e.g., admin@yourcompany.com)

    The above commands create the following CA files in your /etc/ssl directory:

    • dss6.key
    • dss6.pem

  2. Generate the certificates for the DSS Hub Server:

    1. Generate the Hub Server’s private key (e.g., dsshubserver.priv_key):

      openssl genrsa -out dsshubserver.priv_key 2048

    2. Generate a Certificate Signing Request (CSR) for the DSS Hub Server using the private key:

      openssl req -new -key dsshubserver.priv_key -out dsshubserver.csr

      When prompted, enter the following details for the certificate:

      • Country Name (2-letter code, e.g., US)
      • State or Province Name (full name, e.g., California)
      • Locality Name (city, e.g., Oakland)
      • Organization Name (e.g., MyCompany)
      • Common Name (e.g., dsshubserver.local). This is the hostname that is required in the next step.
      • Email Address (e.g., admin@yourcompany.com)

Do not enter any values for 'extra' attributes. Do not enter a password.

3.  Create a certificate extensions configuration file (e.g., **dsshubserver.ext**) in the **/etc/ssl** directory to define the Subject Alternative Names (SANs) for the Hub Server’s SSL certificate. Replace the **DNS.1** value with the hostname of your DSS Hub Server. 
In this example, the hostname (the Common Name entered in the previous command) for the DSS Hub Server is **dsshubserver.local**.

    ```
    authorityKeyIdentifier=keyid,issuer
    basicConstraints=CA:FALSE
    keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
    subjectAltName = @alt_names
    
    [alt_names]
    DNS.1 = [dsshubserver.local]
    ```

    <div class="callout callout-note">

This allows the certificate to be valid for multiple domain names or IP addresses, not just a single hostname.

4.  Generate the DSS Hub Server‘s self-signed public certificate, valid for 1825 days:

    Use the CA to sign the CSR and generate the Hub Server’s public certificate.

    ```
    openssl x509 -req -in dsshubserver.csr -CA dss6.pem -CAkey dss6.key -CAcreateserial -out dsshubserver.pub_cert -days 825 -sha256 -extfile dsshubserver.ext
    ```

    The following is displayed upon successful completion of the command’s execution:

    ```
    Signature ok
    subject=/C=US/ST=California/L=Oakland/O=MyCompany/CN=dsshubserver.local/emailAddress=info@datasourcesolutions.ai
    Getting CA Private Key
    ```

    <div class="callout callout-note">

By signing the CSR, the CA verifies and validates the Hub Server’s identity and issues a public certificate that confirms the server’s legitimacy. The CA uses its private key (dss6.key) to sign the CSR. This process creates a unique digital signature that can be verified against the CA’s public certificate (dss6.pem), establishing a chain of trust.

The above commands create the following files in your **/etc/ssl** directory:
-   **dsshubserver.priv_key**
-   **dsshubserver.pub_cert**
Using a Script
To save time, you can use the bash script provided below to automate the creation of the CA and self-signed certificates for the DSS Hub Server.
  • This script requires OpenSSL.
  • This script is designed for Unix-like environments. If you’re using Windows, you have two options:
    • Run the script on a Linux or macOS machine to generate the certificates, then transfer the resulting certificate files to your Windows machine.
    • Modify the script to make it compatible with Windows syntax, such as updating the cat command and variable references.

  1. Save the following script (e.g., create_certificates.sh): 

    #### Add below the DNS names for your hubserver
DNS4=dss6
DNS5=dss6.rikthefrog.eu
DNS6=dss6.rikthefrog.local
openssl req -x509 -nodes -new -sha512 \
-days 365 -newkey rsa:4096 -keyout ca.key \
-out ca.pem -subj "/C=US/CN=Data Source Solutions"
openssl x509 -outform pem -in ca.pem -out ca.crt
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]

#### Local hosts
DNS.1 = localhost
DNS.2 = 127.0.0.1
DNS.3 = ::1

#### List your domain names here
DNS.4 = ${DNS4}
DNS.5 = ${DNS5}
DNS.6 = ${DNS6}
EOF
openssl req -new -nodes -newkey rsa:4096 \
-keyout dsshubserver.priv_key -out dsshubserver.csr \
-subj "/C=US/ST=CA/L=Oakland/O=Data Source Solutions/CN=dsshubserver"
openssl x509 -req -sha512 -days 365 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in dsshubserver.csr \
-out dsshubserver.pub_cert

  2. Update the script to specify the Hub Server’s DNS names (e.g., DNS4, DNS5, DNS6).

  3. Execute the script:

    ./create_certificates.sh

    This will generate:

    • The CA’s private key and root certificate (dss6.key and dss6.pem).
    • The DSS Hub Server private key and public certificate (dsshubserver.priv_key and dsshubserver.pub_cert).

Copy Certificates to the Hub Server

Copy the self-signed certificates (dsshubserver.priv_key and dsshubserver.pub_cert) to the $DSS_CONFIG/etc/cert directory of the DSS Hub Server. This allows you to configure the DSS Hub Server with HTTPS. This step is normally performed while installing the DSS Hub.

Install the Root Certificate on Your Machine

To trust the server certificate, each machine accessing the DSS Hub Server must recognize dss6.pem as a trusted root certificate.

Linux

  1. Copy the certificate file (dss6.pem) to the system’s trusted certificate directory, often located at /usr/local/share/ca-certificates/ or /etc/ssl/certs/.

  2. Run the following command to update the certificate store and add the dss6.pem certificate is added to the system-wide list of trusted certificates system-wide:

    sudo update-ca-certificates
MacOS

  1. Copy the certificate file (dss6.pem) to the documents/keys directory.

  2. Run the following command to add the dss6.pem certificate to the system keychain as a trusted root certificate:

    sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" ~/Documents/keys/dss6.pem

    Alternatively, you can open the Keychain Access app, go to File > Import Items…, select dss6.pem, and mark it as trusted.

Windows

  1. Copy the certificate file (dss6.pem) to your Windows machine.

  2. Run the following command to add the dss6.pem certificate to the Trusted Root Certification Authorities store:

    certutil.exe -addstore root .\dss6.pem

    Alternatively, you can open Manage User Certificates, right-click Trusted Root Certification Authorities > Certificates, select All Tasks > Import, and choose dss6.pem.