Set up Certificate Authority and issue Server and Client Certificates
The topic describes the instructions on how to set up a Certificate Authority (CA) and issue Server and Client Certificates on machine 1.
- Open the /etc/pki/tls/openssl.cnf file in a text editor. Edit the [req_distinguished_name] section so that it has defaults appropriate for your organization. For example:
Create the self-signed certificate for Alfresco CA. Use the exact paths listed here, as they are already referenced in openssl.cnf. For CA certificate, use any name that best describes your CA, for example Alfresco Demo.
The following certificates are issued by CA:
Ensure that certificates issued by Alfresco CA are trusted by the Apache HTTP server. We need to create a symbolic link to the certificate using a computed hash to add it to the chain of trust.
Replace the HTTP server's test certificate with the certificate issued by Alfresco CA. The advantages of it being issued by the same CA are that fewer certificates need
to be added to Alfresco Share's truststore later. When prompted for a certificate subject (CN), you must specify the external DNS name of machine 1. The use of -nodes option avoids the need to enter the key password every time Apache is started.
Create Client Certificates that will be used in Alfresco Share to access repository. The Client Certificate securely identifies the Alfresco Share application to the Alfresco repository. You need to protect the private key with a password. Also, export the key and its certificate chain to a password protected PKCS12 keystore alfresco-system.p12 in the Tomcat classspath so that it can be used by the Share application. Use the same password for both the key and the keystore. For the subject name, use alfresco-system.
Sign the client certificate with our CA certificate:
Package the client private and public keys in a P12:
Finally, copy alfresco-system.p12 to machine 2, the Alfresco server, into the /opt/alfresco/tomcat/shared/classes/alfresco/web-extension/ folder.Source: docs.alfresco.com