Skip to content

Certificates

Note

The following examples assume the home directory path is /home/dataman and the project directory path is /home/dataman/n6.

Note

Self-signed certificates are inherently insecure (since they lack a chain of trust). Please contact your IT Admin if you are unsure/unaware of the consequences of generating & using self-signed certificates. These instructions should be used for development environments only.

It is recommended to encrypt communication between n6 and other n6 components/tools, and to provide passwordless authentication. Use your own x509 certificates in production environment, or create some CA certificate and use it to sign some test certificates in development environment. You can use the provided bash script, generate_ca.sh, to generate the CA and generate_certs.sh server/client certificate:

$ mkdir ~/certs
$ cp /home/dataman/n6/etc/ssl/generate_ca.sh ~/certs
$ cp /home/dataman/n6/etc/ssl/generate_certs.sh ~/certs
$ cp /home/dataman/n6/etc/ssl/openssl.cnf ~/certs
$ cd /home/dataman/certs

Just before running the script, modify the generate_certs.sh file to set generated certificate’s subject parts, e.g.:

CN=login@example.com
ORG=example.com

Important: values CN and ORG have to match user’s logging and organization ID he belongs to, so they must be the same as login and organization ID added by the n6populate_auth_db command!

Generate the self-signed root CA certificate, by running the command only once:

$ ./generate_ca.sh
+ DAYS=1365
+ OPENSSL_CNF=openssl.cnf
+ mkdir -p n6-CA/certs n6-CA/private
+ touch n6-CA/index.txt
+ touch n6-CA/index.txt.attr
+ echo 12
+ openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 1365 -out generated_certs/n6-CA/cacert.pem -outform PEM -subj /CN=n6-CA/ -nodes
Generating a RSA private key
.................+++++
....................................+++++
writing new private key to 'n6-CA/private/cakey.pem'

Generate the server/client certificate, by running the command, as many times as you want. Do not forget increment the serial number if the certificate with the same serial.

$ ./generate_certs.sh
+ DAYS=1365
+ CN=login@example.com
+ ORG=example.com
+ OPENSSL_CNF=openssl.cnf
+ echo 12
+ openssl genrsa -out generated_certs/key.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
........................+++++
............+++++
e is 65537 (0x010001)
+ openssl req -new -key key.pem -out generated_certs/req.csr -outform PEM -subj /CN=login@example.com/O=example.com/ -nodes
+ openssl ca -config openssl.cnf -in generated_certs/req.csr -out generated_certs/cert.pem -days 1365 -notext -batch -extensions server_and_client_ca_extensions
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'login@example.com'
organizationName      :ASN.1 12:'example.com'
Certificate is to be certified until Oct 27 15:46:19 2025 GMT (1365 days)
Write out database with 1 new entries
Data Base Updated

Script should generate some files. Most important are:

  • cert.pem
  • key.pem
  • N6-CA/cacert.pem

Generated files will be used to authenticate some requests to n6 Rest API and RabbitMQ.