Skip to main content
Version: 3.9

How to Get a Certificate

This document describes how to get a certificate to enroll in ScalarDL.

ScalarDL has several kinds of authentication methods. If you use digital-signature as the authentication method, you must prepare private key and certificate files. For more details on authentication methods, see ScalarDL Authentication Guide.

Private key and certificate requirements

If you use digital-signature as the authentication method, you must create a private key and certificate that satisfy the following requirements:

  • SEC1 or PKCS#8 key
  • ECDSA as the algorithm
  • P-256 as the curve parameter
  • SHA256 as the hash function
note

ScalarDL does not check the expiration date of certificates. So, you can set any expiration dates to certificates that ScalarDL uses.

Create a private key and certificate file

You can create a self-signed certificate as follows:

note

This example creates a SEC1 key.

Prerequisites

You must install the cfssl and cfssljson command-line tools for the following steps.

Create a local CA

  1. Create a working directory.

    mkdir -p ${HOME}/scalardl/digital-signature/certs/

  2. Change the working directory to ${HOME}/scalardl/digital-signature/certs/.

    cd ${HOME}/scalardl/digital-signature/certs/

  3. Create a JSON file that includes CA information.

    cat << 'EOF' > ${HOME}/scalardl/digital-signature/certs/ca.json
    {
        "CN": "scalardl-example-ca",
        "key": {
            "algo": "ecdsa",
            "size": 256
        },
        "names": [
            {
                "C": "JP",
                "ST": "Tokyo",
                "L": "Shinjuku",
                "O": "ScalarDL Example CA"
            }
        ]
    }
    EOF

  4. Create the CA private key and certificate files.

    cfssl gencert -initca ca.json | cfssljson -bare ca

  5. Create a JSON file that includes CA configurations.

    cat << 'EOF' > ${HOME}/scalardl/digital-signature/certs/ca-config.json
    {
        "signing": {
            "default": {
                "expiry": "87600h"
            },
            "profiles": {
                "scalardl-example-ca": {
                    "expiry": "87600h",
                    "usages": [
                        "signing",
                        "key encipherment",
                        "server auth"
                    ]
                }
            }
        }
    }
    EOF

Create a private key and certificate for each component

  1. Create a JSON file that includes ScalarDL Ledger information.

    cat << 'EOF' > ${HOME}/scalardl/digital-signature/certs/ledger.json
    {
        "CN": "scalardl-ledger",
        "hosts": [
            "ledger.scalardl.example.com",
            "localhost"
        ],
        "key": {
            "algo": "ecdsa",
            "size": 256
        },
        "names": [
            {
                "C": "JP",
                "ST": "Tokyo",
                "L": "Shinjuku",
                "O": "ScalarDL Ledger Example"
            }
        ]
    }
    EOF

  2. Create the private key and certificate files for ScalarDL Ledger.

    cfssl gencert -ca ca.pem -ca-key ca-key.pem -config ca-config.json -profile scalardl-example-ca ledger.json | cfssljson -bare ledger

  3. Confirm that the private key and certificate files were created.

    ls -1

    You should see the following output:

    ca-config.json
    ca-key.pem
    ca.csr
    ca.json
    ca.pem
    ledger-key.pem
    ledger.csr
    ledger.json
    ledger.pem

    In this case:

    • ledger-key.pem is the private key file for ScalarDL Ledger.
    • ledger.pem is the certificate file for ScalarDL Ledger.
    • ca.pem is the root CA certificate file.