Skip to main content
Version: 3.10

How to Get a Certificate

This document describes how to get a certificate to enroll in ScalarDL.

ScalarDL has several kinds of authentication methods. If you use digital-signature as the authentication method, you must prepare private key and certificate files. For more details on authentication methods, see ScalarDL Authentication Guide.

Private key and certificate requirements​

If you use digital-signature as the authentication method, you must create a private key and certificate that satisfy the following requirements:

  • SEC1 or PKCS#8 key
  • ECDSA as the algorithm
  • P-256 as the curve parameter
  • SHA256 as the hash function
note

ScalarDL does not check the expiration date of certificates. So, you can set any expiration dates to certificates that ScalarDL uses.

Create a private key and certificate file​

You can create a self-signed certificate as follows:

note

This example creates a SEC1 key.

Prerequisites

You must install the cfssl and cfssljson command-line tools for the following steps.

Create a local CA

  1. Create a working directory.

    mkdir -p ${HOME}/scalardl/digital-signature/certs/

  2. Change the working directory to ${HOME}/scalardl/digital-signature/certs/.

    cd ${HOME}/scalardl/digital-signature/certs/

  3. Create a JSON file that includes CA information.

    cat << 'EOF' > ${HOME}/scalardl/digital-signature/certs/ca.json
    {
        "CN": "scalardl-example-ca",
        "key": {
            "algo": "ecdsa",
            "size": 256
        },
        "names": [
            {
                "C": "JP",
                "ST": "Tokyo",
                "L": "Shinjuku",
                "O": "ScalarDL Example CA"
            }
        ]
    }
    EOF

  4. Create the CA private key and certificate files.

    cfssl gencert -initca ca.json | cfssljson -bare ca

  5. Create a JSON file that includes CA configurations.

    cat << 'EOF' > ${HOME}/scalardl/digital-signature/certs/ca-config.json
    {
        "signing": {
            "default": {
                "expiry": "87600h"
            },
            "profiles": {
                "scalardl-example-ca": {
                    "expiry": "87600h",
                    "usages": [
                        "signing",
                        "key encipherment",
                        "server auth"
                    ]
                }
            }
        }
    }
    EOF

Create a private key and certificate for each component

  1. Create a JSON file that includes ScalarDL Ledger information.

    cat << 'EOF' > ${HOME}/scalardl/digital-signature/certs/ledger.json
    {
        "CN": "scalardl-ledger",
        "hosts": [
            "ledger.scalardl.example.com",
            "localhost"
        ],
        "key": {
            "algo": "ecdsa",
            "size": 256
        },
        "names": [
            {
                "C": "JP",
                "ST": "Tokyo",
                "L": "Shinjuku",
                "O": "ScalarDL Ledger Example"
            }
        ]
    }
    EOF

  2. Create the private key and certificate files for ScalarDL Ledger.

    cfssl gencert -ca ca.pem -ca-key ca-key.pem -config ca-config.json -profile scalardl-example-ca ledger.json | cfssljson -bare ledger

  3. Confirm that the private key and certificate files were created.

    ls -1

    You should see the following output:

    ca-config.json
    ca-key.pem
    ca.csr
    ca.json
    ca.pem
    ledger-key.pem
    ledger.csr
    ledger.json
    ledger.pem

    In this case:

    • ledger-key.pem is the private key file for ScalarDL Ledger.
    • ledger.pem is the certificate file for ScalarDL Ledger.
    • ca.pem is the root CA certificate file.