To create the keystore and trust store, use the following procedure.
Login to the system running the SDN Controller and stop the controller.
Back up your default /opt/sdn/admin/keystore
and /opt/sdn/admin/truststore
to a safe location.
Create a new keystore using the following commands:
keytool -genkey -alias serverKey -keyalg rsa -keysize 2048 -keystore keystore
You must specify a fully qualified domain for your server for the "first and last name" question as some CAs, such as VeriSign, expect it.
Generate a CSR (Certificate Signing Request) for signing:
keytool -keystore keystore -certreq -alias serverKey -keyalg rsa -file sdn-server.csr
Send the sdn-server.csr
to a CA to be signed.
The CA will authenticate you and return a signed certificate and its CA certificate chain. We assume the signed certificate from the CA is named signed.cer
and the CA's certificate is root.cer
. If root.cer
is from your own internal CA, then you need to import root.cer
into your browser as an authority.
Import the signed root certificate into your keystores:
keytool -importcert -trustcacerts -keystore keystore -file root.cer -alias CARoot
keytool -importcert -trustcacerts -keystore truststore -file root.cer -alias CARoot
Replace your self-signed certificate in your serverKey
entry with the signed certificate from your CA (signed.cer
).
keytool -importcert -keystore keystore -file signed.cer -alias serverKey
If you are operating a team of controllers in your environment, turn off self-signing for inter-controller communication:
Under /opt/sdn/virgo/repository/usr, change the "selfsigned" value to false for the following component:
If you set up a different password than the default "skyline" password for your keystore, you will need to edit /opt/sdn/virgo/configuration/tomcat-server.xml
and change the keystorePass
value in the <Connector port="8443"…>
tag to the new keystore password.
Start the controller. Continue to the next section if you are using a different keystore and truststore password than the default "skyline" password.