Step 4: Generate the CA and the Client Certificate

Explains how to generate the CA and the Client certificate to install on the Data Fabric platform.

Download the local CA certificate from the Vault, as well as create and download the client certificates and install them on the Data Fabric platform.

  1. Retrieve the CA certificates:
    $ vault read kmip/ca
    Key       Value
    ---       -----
    ca_pem    -----BEGIN CERTIFICATE-----
    MIICNzCCAZigAwIBAgIUP8qJ5bh/nsBeAh2V61xuBYgf+8swCgYIKoZIzj0EAwIw
    HTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDYxOTE5MTMzMloX
    DTI5MDYxNjE5MTQwMlowKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWlu
    dGVybWVkaWF0ZTCBmzAQBgcqhkjOPQIBBgUrgQQAIwOBhgAEAckgYpJrCbPGdljc
    BfefIRR1xKSBjp6rtudm/fZjiY7Pd7sadsOSTyojvmKZHeQdg/G1dUHMSlE+Lhct
    AdEkCRzbAJ00TziUh1Ug+xzXo2PBnuSiRWjVcRzDiGPThgjfojKDpm8EF0V6hJ+z
    1Z5lDWAL9eqIwKHJTVsTQtf0QU1D6mQ3o2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD
    VR0TAQH/BAgwBgEB/wIBCTAdBgNVHQ4EFgQUT5Bgc+xJoZcUltEWkBNkokW94M4w
    HwYDVR0jBBgwFoAUM1e6hZBDSLFL/DxUUJqIQVZgvNwwCgYIKoZIzj0EAwIDgYwA
    MIGIAkIB6rfGWqfeiFl60Ka/dB1/T3evAibMvy4UFsax8DpnFYME5o15+96LOZvy
    t5dj9jH72SCDpKNnwekYDZMWb2NKVzYCQgFS0muzu2wZ69FUmkEQBrNuxnTd+4Nt
    ha14Uby4Fgq+J3X4GkQBBhsMkGtwwuXuRiEa0WaViILBE+D1Dc/ifDu2qQ==
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIICKTCCAYugAwIBAgIUAh0QJeKDwBO8hYgRk5tdjiOHeVUwCgYIKoZIzj0EAwIw
    HTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDYxOTE5MTMzMloX
    DTI5MDYxNjE5MTQwMlowHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MIGb
    MBAGByqGSM49AgEGBSuBBAAjA4GGAAQBYODGU1+TYhR11Urm6irXz+75VbdsW8pT
    o10hw9TR53F+bKIpEzb9dumnr9P80K0Lf4XCwkoewx6IA6oM64eZlOQBQg3Df35A
    ovHRU/kzD5IlwSrqEfhqfs53aVeRrGbv256iO6edHLvftzRmb3Ihtpol9/V4vJIo
    HpWj/dkoDbSiLaOjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/
    AgEKMB0GA1UdDgQWBBQzV7qFkENIsUv8PFRQmohBVmC83DAfBgNVHSMEGDAWgBQz
    V7qFkENIsUv8PFRQmohBVmC83DAKBggqhkjOPQQDAgOBiwAwgYcCQgDh5iuDhLHh
    vH0xAV3pZwbc5jqE8o3Sb5JzoUnmuTX1ZlBbJdZavkQ4HrYbOhI+bHd+iyu5Zwwb
    BiOpisPzu9Rr5wJBDhDzgW1+9dqj7oQF4DD+38hLnZKg+F4pZ47dCxdKzzP5MFxc
    /zxa8PYxFi62BpmjIKPsyw4U7l0rJ0JBMn3unS8=
    -----END CERTIFICATE-----

    The bold block is part of the response that is your CA certificate. Copy this into a file called ca.pem using your favorite text editor.

  2. Generate a certificate in PEM format and save it to a JSON file named credential.json:
    $ vault write -format=json \
        kmip/scope/mapr/role/maprkmipclient1/credential/generate \
        format=pem > credential.json
  3. Extract the private key from the credential.json file using the jq tool and save it in a file named key.pem:
    $ jq -r .data.private_key < credential.json > key.pem
  4. Find the certification serial numbers associated with the maprkmipclient1 role:
    $ vault list kmip/scope/mapr/role/maprkmipclient1/credential
    Keys                                                                             
    ----                                                                             
    693751915900546682090704263335075174345458639865

    In this example, the key is 693751915900546682090704263335075174345458639865 but your serial number may be different. Copy this down for the next step.

  5. Lookup the client and CA certificates using this serial number (make sure to use your own serial number):
    $ vault read kmip/scope/mapr/role/maprkmipclient1/credential/lookup \
            serial_number=693751915900546682090704263335075174345458639865
    Key              Value
    ---              -----
    ca_chain         [-----BEGIN CERTIFICATE-----
    MIIBrDCCAVKgAwIBAgIUA462iIHn2ssIOwZTFDzMaWK8veIwCgYIKoZIzj0EAwIw
    HTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDczMDE5NDYwOFoX
    DTI5MDcyNzE5NDYzOFowKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWlu
    dGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKpAQgXZZQ5YSXZ7
    QiDaSXrbig7AT5xqKw4Cpos1RHNnQtQmFzj4VJdIJfFF3j7+iXjg/4DfQEvsgjfk
    OPsR5FSjYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
    DgQWBBTXOnbANc7zQbeXut8z/gW6z1D9+zAfBgNVHSMEGDAWgBRo5cF5kF7WN4Dp
    MjlRbvJoRqgNHzAKBggqhkjOPQQDAgNIADBFAiA3W9E5Q40/Ys1CgXgrDx1ywIJm
    u7JZ8pg0mahQ60jItwIhALLnHRVXfIXKYGouRCwJ6tZeEYCZXL5SC6W6r5fZcJq7
    -----END CERTIFICATE----- -----BEGIN CERTIFICATE-----
    MIIBoDCCAUWgAwIBAgIUH/kEhPmsA19HwWyaUe5+6MbSNPwwCgYIKoZIzj0EAwIw
    HTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDczMDE5NDYwOFoX
    DTI5MDcyNzE5NDYzOFowHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MFkw
    EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/IIHo7wm0G5ywwsU9I2/fzfcjEac8k+K
    satRSL71/SxY4Af4GiBdVHSNqTv/QEq3kfe4ShKQvK0tGo2xjxu39KNjMGEwDgYD
    VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGjlwXmQXtY3
    gOkyOVFu8mhGqA0fMB8GA1UdIwQYMBaAFGjlwXmQXtY3gOkyOVFu8mhGqA0fMAoG
    CCqGSM49BAMCA0kAMEYCIQCxhqAELYdXfIi7H8yJ6RCaNRntaHbHwqxn6UB4fnEc
    HQIhAM5qsuyvbp6U8CH+ejtbHjzzgO5rhXbchx7Um2gWKiEQ
    -----END CERTIFICATE-----]
    certificate      -----BEGIN CERTIFICATE-----
    MIIBszCCAVmgAwIBAgIUT4XoB0JqAPoADTK3lb1NbJKUk3QwCgYIKoZIzj0EAwIw
    KjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWludGVybWVkaWF0ZTAeFw0x
    OTA3MzAyMDI5MzdaFw0xOTA4MTMyMDMwMDdaMCAxDjAMBgNVBAsTBUtJRUdXMQ4w
    DAYDVQQDEwU5akpiZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPM977vYKmIy
    UDTNlWJhQ+3poZrEYt/bH1t0GpUinfHHBSifkG0v/boM85BOLku8S/zURZRQlXXa
    D6FONeSHCmWjZzBlMA4GA1UdDwEB/wQEAwIDqDATBgNVHSUEDDAKBggrBgEFBQcD
    AjAdBgNVHQ4EFgQUlyQPSXDXzarQ4uD87xIHsQs8BJwwHwYDVR0jBBgwFoAU1zp2
    wDXO80G3l7rfM/4Fus9Q/fswCgYIKoZIzj0EAwIDSAAwRQIgRm8doJMK5Wy46fMW
    2iqUfn5cykVF0h/78mKts3/Vp5YCIQDJBfh5kGmDZKTCLAZeiiSd07mkF56FzIK1
    2HFT4nBZCg==
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIBrDCCAVKgAwIBAgIUA462iIHn2ssIOwZTFDzMaWK8veIwCgYIKoZIzj0EAwIw
    HTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDczMDE5NDYwOFoX
    DTI5MDcyNzE5NDYzOFowKjEoMCYGA1UEAxMfdmF1bHQta21pcC1kZWZhdWx0LWlu
    dGVybWVkaWF0ZTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKpAQgXZZQ5YSXZ7
    QiDaSXrbig7AT5xqKw4Cpos1RHNnQtQmFzj4VJdIJfFF3j7+iXjg/4DfQEvsgjfk
    OPsR5FSjYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
    DgQWBBTXOnbANc7zQbeXut8z/gW6z1D9+zAfBgNVHSMEGDAWgBRo5cF5kF7WN4Dp
    MjlRbvJoRqgNHzAKBggqhkjOPQQDAgNIADBFAiA3W9E5Q40/Ys1CgXgrDx1ywIJm
    u7JZ8pg0mahQ60jItwIhALLnHRVXfIXKYGouRCwJ6tZeEYCZXL5SC6W6r5fZcJq7
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIBoDCCAUWgAwIBAgIUH/kEhPmsA19HwWyaUe5+6MbSNPwwCgYIKoZIzj0EAwIw
    HTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MB4XDTE5MDczMDE5NDYwOFoX
    DTI5MDcyNzE5NDYzOFowHTEbMBkGA1UEAxMSdmF1bHQta21pcC1kZWZhdWx0MFkw
    EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/IIHo7wm0G5ywwsU9I2/fzfcjEac8k+K
    satRSL71/SxY4Af4GiBdVHSNqTv/QEq3kfe4ShKQvK0tGo2xjxu39KNjMGEwDgYD
    VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGjlwXmQXtY3
    gOkyOVFu8mhGqA0fMB8GA1UdIwQYMBaAFGjlwXmQXtY3gOkyOVFu8mhGqA0fMAoG
    CCqGSM49BAMCA0kAMEYCIQCxhqAELYdXfIi7H8yJ6RCaNRntaHbHwqxn6UB4fnEc
    HQIhAM5qsuyvbp6U8CH+ejtbHjzzgO5rhXbchx7Um2gWKiEQ
    -----END CERTIFICATE-----
    serial_number    693751915900546682090704263335075174345458639865

    In the preceding response, the bold block is the CA certificate, which should look similar to the CA certificate saved earlier, while the italics block is the client certificates. Save the client certificates to a file called cert.pem using your text editor.

  6. Combine the cert.pem and the key.pem files to create a file called client.pem, which is the file that the mrhsm commands use.

This concludes the Vault-specific setup and configuration steps. At the end of this phase, you should have the following files that are needed to set up your Data Fabric KMIP client, in addition to the list of IP addresses and the port number of the key management appliances:

  1. The CA used to sign the client certificate. This is contained in ca.pem.
  2. The signed client certificate contained in client.pem.
  3. The client private key which is contained in key.pem.

Continue the setup on the Data Fabric CLDB node using the configure.sh script with the HSM parameters, or the mrhsm Commands.