Self-signed Certificate Creation Methods

If the inference service uses HTTPS, you need to use the CA to issue server and client certificates. You are advised to apply for CA certificates from a professional CA. X509v3 certificates are recommended for authentication. To improve security, you are advised to create a self-signed certificate in a non-production environment.

For security purpose, the key length of the RSA algorithms must be at least 2048 bits. 4096-bit keys are recommended. Ensure that the -aes256 command is used to encrypt the key. If the entered password is empty, the generated private key is in plaintext, which has security risks. In addition, MD5, SHA1, and RSA1024 are not recommended because they pose security risks when they are used for encryption. Set the certificate validity period properly. It is recommended that the validity period be less than or equal to 36 months.

1. Use OpenSSL to create a CA certificate.
   1. Log in to the Linux server with OpenSSL installed.
   2. Run the following command to create a working directory and enter the directory:

      mkdir ca && cd ca 

   3. Create the OpenSSL configuration file ca_cert.conf for the CA certificate. The file content is as follows:

      [ req ] 
      distinguished_name = req_distinguished_name 
      prompt = no 
       
      [ req_distinguished_name ] 
      O = mxManufacture 
      [ v3_ca ]
      subjectKeyIdentifier = hash
      authorityKeyIdentifier = keyid:always,issuer
      basicConstraints = critical, CA:true
      keyUsage = critical, digitalSignature, cRLSign, keyCertSign

   4. Create the private key file ca.key of the CA certificate.

      openssl genrsa -aes256 -out ca.key 4096

      Figure 1 Setting the CA password
      
      

      Set password strength properly. The password must contain at least eight characters and contain at least two types of the following characters: digits, uppercase letters, lowercase letters, and special characters. Do not use common weak password.

      • To store and manage the password of the CA root certificate, you are advised to use the Huawei KMC component instead of the plaintext key. When using keys, take security measures, for example, destroy sensitive information after using it in programs.
      • Keep the private key ca.key of the CA certificate secure. Do not store it on the production server.
   5. Create the CSR request file ca.csr of the CA certificate.

      openssl req -out ca.csr -key ca.key -new -config ./ca_cert.conf 

   6. Create the self-signed CA certificate ca.crt.

      openssl x509 -req -in ca.csr -out ca.crt -sha256 -days 1000 -extfile ./ca_cert.conf -extensions v3_ca -signkey ca.key

      Figure 2 Entering the CA password
      
2. Issue a server certificate using the CA certificate.
   1. Log in to the server where the CA certificate is generated.
   2. Create a directory at the same level as the CA directory, and then go to the directory.

      mkdir server && cd server 

   3. Create the OpenSSL configuration file server_cert.conf of the server certificate. The file content is as follows:

      [ req ] 
      distinguished_name = req_distinguished_name 
      prompt = no 
       
      [ req_distinguished_name ] 
      O = mxManufacture 
      CN = 
      [ v3_ca ]
      authorityKeyIdentifier = keyid,issuer
      basicConstraints = CA:FALSE
      keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

      

      Change the value of the CN field to the domain name and IP address of the server as required.

   4. Create private key file server.key of the server certificate.

      openssl genrsa -aes256 -out server.key 4096

      Figure 3 Setting the server password
      
      

      • Set password strength properly. The password must contain at least eight characters and contain at least two types of the following characters: digits, uppercase letters, lowercase letters, and special characters. Do not use common weak password.
      • If the server certificate is used as the StreamServer server certificate, the password can contain a maximum of 100 characters.
      • When the server is started, the key corresponding to the server CA certificate is required. You are advised to use Huawei KMC component to manage and use the key, instead of using the plaintext key. When using keys, take security measures, for example, destroy sensitive information after using it in programs.
   5. Create the CSR request file server.csr of the server certificate.

      openssl req -out server.csr -key server.key -new -config ./server_cert.conf 

   6. Use the CA certificate to issue the server certificate server.crt.

      openssl x509 -req -in server.csr -out server.crt -sha256 -CAcreateserial -days 1000 -extfile ./server_cert.conf -extensions v3_ca -CA ../ca/ca.crt -CAkey ../ca/ca.key
       

      Enter the CA password.

3. Issue a client certificate using the CA certificate.
   1. Log in to the server where the CA certificate is generated.
   2. Create a directory at the same level as the CA directory, and then go to the directory.

      mkdir client && cd client 

   3. Create the OpenSSL configuration file client_cert.conf of the client certificate. The file content is as follows:

      [ req ] 
      distinguished_name = req_distinguished_name 
      prompt = no 
       
      [ req_distinguished_name ] 
      O = mxmanufacture 
      CN = 
      [ v3_ca ]
      authorityKeyIdentifier = keyid,issuer
      basicConstraints = CA:FALSE
      keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

      

      Change the value of the CN field to the domain name and IP address of the server as required.

   4. Create the private key file client.key of the client certificate.

      openssl genrsa -aes256 -out client.key 4096 

      Figure 4 Setting the client password
      
      

      • Set password strength properly. The password must contain at least eight characters and contain at least two types of the following characters: digits, uppercase letters, lowercase letters, and special characters. Do not use common weak password.
      • When the server is started, the key corresponding to the server CA certificate is required. Do not use the plaintext key. You are advised to use the Huawei KMC component to manage and use the key. When using keys, take security measures, for example, destroy sensitive information after using it in programs.
   5. Create the CSR request file client.csr of the client certificate.

      openssl req -out client.csr -key client.key -new -config ./client_cert.conf

   6. Use the CA certificate to issue the client certificate client.crt.

      openssl x509 -req -in client.csr -out client.crt -sha256 -CAcreateserial -days 1000 -extfile ./client_cert.conf -extensions v3_ca -CA ../ca/ca.crt -CAkey ../ca/ca.key

      Enter the CA password.

      

      • If a self-signed certificate is made based on the preceding procedure, you are advised to set the permission on the directory that contains the certificate, private key, and sensitive information to 700, and set the permission on the certificate, private key, and configuration file that contains sensitive information to 400. For details, see the keys directory generated by the Huawei KMC component.
      • After the self-signed certificate is created, delete the intermediate files generated during the creation, such as ca_cert.conf, server_cert.conf, and client_cert.conf to prevent information leakage.