Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
# Create a temporary directory for certificate creation (name does not matter)
mkdir ~/ssl_cert
cd ~/ssl_cert

# Create certificate authority
openssl req -x509 \
            -sha512 \
            -days 3650 \
            -nodes \
            -newkey rsa:4096 \
            -subj "/CN=localhost/C=FI/L=Espoo" \
            -keyout cakey.pem -out cacert.pem \
         

 -config /usr/local/ubisecure/ubilogin-sso/openssl/openssl.cnf

# Create server private key
openssl genrsa -out serverkey.pem 4096

# Generate certificate signging request
cat << EOF > servercsr.cnf
[ req ]
default_bits = 4096
prompt = no
default_md = sha512
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C = FI
ST = Uusimaa
L = Espoo
O = Ubisecure Oy
OU = Engineering
CN = localhost

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = localhost
DNS.2 = $(hostname -s)
DNS.3 = $(hostname -f)

EOF

# Generate certificate signing request with previously created private key
openssl req \
        -new \
        -key serverkey.pem \
        -out servercsr.pem \
        -config servercsr.cnf

# Generate external certificate configuration
cat << EOF > cert.conf
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
DNS.2 = $(hostname -s)
DNS.3 = $(hostname -f)

EOF

# Generate SSL certificate With self signed CA
openssl x509 -req \
    -in servercsr.pem \
    -CA cacert.pem \
    -CAkey cakey.pem \
    -CAcreateserial \
    -out servercert.pem \
    -days 3650 \
    -sha512 \
    -extfile \
    cert.conf

# View generated cert
openssl x509 -noout -in servercert.pem -text

...

Reconfigure LDAP:

Code Block
cd /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap
# Check that JAVA_HOME environment variable is set
echo $JAVA_HOME
# Set the right value if needed (depends on your JDK installation)
export JAVA_HOME=/usr/lib/jvm/temurin-11-jdk

cd /usr/local/ubisecure/ubilogin-sso/ubilogin/ldap/openldap
./install.sh

Update SSO configurations:

...