Documentation

config_mindie_server_tls_cert.py

Script Function

This script is used to manage certificates when HTTPS is enabled for EndPoint. It provides the following functions:

  • Generates service certificates.
  • Imports CA certificates.
  • Deletes CA certificates.
  • Imports service certificates and private keys.
  • Deletes service certificates and private keys.
  • Imports and updates CRLs.
  • Queries information about imported certificates.
  • Restores CA certificates.
  • Restores service certificates.

A CA certificate is used to verify the validity of other certificates. A server certificate is used to verify the identity of a server in SSL/TLS communication.

Parameters

Parameter Type

Parameter

Description

Location parameter

<project_path>

Software package installation path.

Location parameter

<sub_command>

Subcommand type. The value can be gen_cert for generating a certificate, import_ca for importing a CA certificate, delete_ca for deleting a CA certificate, import_cert for importing a service certificate and private key, delete_cert for deleting a service certificate and private key, import_crl for importing and updating a CRL, query for querying information about an imported certificate, restore_ca for restoring a CA certificate, and restore_cert for restoring a service certificate. For details about how to use the subcommands, see Usage Guidelines.

Option parameter

--business

Type of the service that requires certificate management. The default type is HTTPS certificate. You can set it to management or grpc, corresponding to the HTTPS management certificate or gRPC certificate, respectively.

Option parameter

--ip

IP address of a certificate. If no certificate is set, use None.

Certificate Specifications

  • CA certificate specifications:
    • The certificate must comply with the X.509 v3 standard.
    • The certificate has not expired.
    • You are advised to use the sha256WithRSAEncryption or sha512WithRSAEncryption algorithm to sign the certificate.
    • It is recommended that the certificate contain the Certificate Signature and cRLSign fields.
    • The RSA key length must be greater than or equal to 3072 bits.
  • Service certificate specifications:
    • The certificate must comply with the X.509 v3 standard.
    • The certificate has not expired.
    • You are advised to use the sha256WithRSAEncryption or sha512WithRSAEncryption algorithm to sign the certificate.
    • It is recommended that the certificate contain the Certificate Signature and cRLSign fields.
    • The RSA key length must be greater than or equal to 3072 bits.
    • The certificate and private key must match.
  • CRL specifications:
    • The CRL has not expired.
    • The CRL is not empty.

Prerequisites

# Install missing packages.
pip3 install pyOpenSSL

# Enable logging.
export MINDIE_LOG_TO_FILE=1
export MINDIE_LOG_TO_STDOUT=1

# Configure logs.
export MINDIE_LOG_LEVEL=INFO
export MINDIE_LOG_PATH=~/mindie/log   # Folder for storing logs

Usage Guidelines

  • Prepare the CA certificate and its key.

    To implement HTTPS communication, obtain a CA certificate from a specific CA. The certificate must contain the CA key.

  • Generate a certificate.
    cd /{MindIE_installation_directory}/latest/mindie-service/ # Go to the installation directory.
    python3 scripts/config_mindie_server_tls_cert.py Software_package_installation_directory gen_cert CA Certificate_configuration_file_path --ip Certificate_IP_address
# Example
python3 scripts/config_mindie_server_tls_cert.py /home/Ascend-mindie-service_{version}_linux-{arch} gen_cert /home/Ascend-mindie-service_{version}_linux-{arch}/conf/gen_cert.json --ip=1.1.1.1,2.2.2.2
  • Import or update the CA certificate.
    python3 scripts/config_mindie_server_tls_cert.py installation_directory_of_the_software_package import_ca CAfile_list (< 5)
# Example
python3 scripts/config_mindie_server_tls_cert.py /home/Ascend-mindie-service_{version}_linux-{arch} import_ca /home/ca.pem /home/ca2.pem
  • Delete the imported CA file.
    python3 scripts/config_mindie_server_tls_cert.py installation_directory_of_the_software_package delete_ca CAfile_name_list (< 5)
# Example
python3 scripts/config_mindie_server_tls_cert.py /home/Ascend-mindie-service_{version}_linux-{arch} delete_ca ca.pem ca2.pem
  • Import or update the service certificate and private key. (The private key password is required.)
    python3 scripts/config_mindie_server_tls_cert.py installation_directory_of_the_software_package import_cert service_certificate_path service_private_key_path
# Example
python3 scripts/config_mindie_server_tls_cert.py /home/Ascend-mindie-service_{version}_linux-{arch} import_cert /home/server.pem /home/server.key.pem
  • Delete the service certificate and private key.
    python3 scripts/config_mindie_server_tls_cert.py installation_directory_of_the_software_package delete_cert
# Example
python3 scripts/config_mindie_server_tls_cert.py /home/Ascend-mindie-service_{version}_linux-{arch} delete_cert --cert_file=server.pem --key_file=server.key.pem

    Parameters:

    • --cert_file: path of the client certificate file.
    • --key_file: path of the client private key file.
  • Import or update the CRL. The CRL matches the first CA file in the CA file list.
    python3 scripts/config_mindie_server_tls_cert.py installation_directory_of_the_software_package import_crl CRL_file_path
# Example
python3 scripts/config_mindie_server_tls_cert.py /home/Ascend-mindie-service_{version}_linux-{arch} import_crl /home/server_crl.pem
  • Query details about the imported CA certificate, service certificate, and CRL file.
    python3 scripts/config_mindie_server_tls_cert.py installation_directory_of_the_software_package query
# Example
python3 scripts/config_mindie_server_tls_cert.py /home/Ascend-mindie-service_{version}_linux-{arch} query --cert_file=server.pem --crl_file=server_crl.pem

    Parameters:

    --crl_file: path of the client CRL.

  • Restore the CA certificate.
    python3 scripts/config_mindie_server_tls_cert.py Installation_directory_of_the_software_package restore_ca
# Example
python3 scripts/config_mindie_server_tls_cert.py /home/Ascend-mindie-service_{version}_linux-{arch} restore_ca --ca_backup_file=/backup/ca.pem --ca_dst_file=ca.pem

    Parameters:

    • --ca_backup_file: path of the backup CA certificate.
    • --ca_dst_file: restores the CA certificate to a specified path.
  • Restore the service certificate.
    python3 scripts/config_mindie_server_tls_cert.py Installation_directory_of_the_software_package restore_cert
# Example
python3 scripts/config_mindie_server_tls_cert.py /home/Ascend-mindie-service_{version}_linux-{arch} restore_cert --cert_backup_file=/backup/server.pem --cert_dst_file=server.pem --key_backup_file=/backup/server.key.pem --key_dst_file=server.key.pem

    Parameters:

    • --cert_backup_file: path of the backup service certificate.
    • --cert_dst_file: restores the service certificate to a specified path.
    • --key_backup_file: path of the backup service certificate key.
    • --key_dst_file: restores the service certificate key to a specified path.
  • You are advised not to use the same security certificate for HTTPS and gRPC. Using the same certificate may lead to significant network security risks.
  • When importing certificates, ensure that the script permissions required for CA certificates, service certificates, private key certificates, and CRL certificates are 600, 400, and 600, respectively.
Parent topic: CertTools
This site uses cookies to improve your browsing experience. By continuing to browse this site, you agree to our use of cookies.View Details