Create certificates

Create certificates as part of installing PEG.

先决条件

You can create certificates by using one of two options.

Option 1: PEG generates keys and CSRs.
Option 2: Create your own keys and certificates.

In both cases, you will need the following:

Unique ID (UID) provided by FortressIQ
The apex domain that you want to use for the PEG DNS names (for example, example.com)

Option 1: PEG generates keys and CSRs

You can use PEG to generate the keys and CSRs for you. To do that, perform the following:

过程

Log in to PEG through ssh.
If you do not log in as user named peguser, then ensure that you switch to the peguser per this command before performing these steps.
sudo su - peguser
If you already have a unique ID (UID) by FortressIQ, run the following command: echo "<UID>" > ~/.kudzu/appliance.txt, where UID is the unique ID that you were provided. If you do not have a UID, the next few steps will generate one for you.
Run cd peg && ./peg_start.sh.
Select Cluster management.
Select Generate Certificate Requests.
Fill out the options that follow.
Exit the menu.
Please record the UID value that you see in the output of this command: cat ~/.kudzu/appliance.txt
The CSRs are located in ~/peg/csr.
Create certificates from those CSRs per Common Tasks - Creating the certificates below.

Option 2 - Create your own keys and certificates

Learn how to create keys and certificates before you deploy PEG.

Keys and certificates must be in Base64 PEM format (called openssl or PKCS #8 for the key format in some systems). Create certificates according to Common Tasks - Creating the certificates. Keys must not be password protected. Also, ensure that your keys match the file names in the Key File Name column of, 表 1.

Common Tasks - Creating the certificates

Learn how to create Base64 PEM certificates.

When you create the certificates, create six server Base64 PEM certificates (called openssl format in some systems), with domain names and file names mapped as follows, where the UID is provided to you by FortressIQ and the apex domain is your apex domain that you will use for PEG.

表 1. Mapping of domain names to certificate file names
Domain	Cert file name	Key file name (Required only if you created your own keys)
analytics-fiq-<UID>.<apex domain>	analytics-cert.pem	analytics-key.pem
proxy-fiq-<UID>.<apex domain>	proxy-cert.pem	proxy-key.pem
storage-fiq-<UID>.<apex domain>	storage-cert.pem	storage-key.pem
st-fiq-<UID>.<apex domain>	st-cert.pem	st-key.pem
dlp-fiq-<UID>.<apex domain>	dlp-cert.pem	dlp-key.pem
es-fiq-<UID>.<apex domain>	es-cert.pem	es-key.pem
klite-fiq-<UID>.<apex domain>	klite-cert.pem	klite-key.pem

注： You can create one certificate with all of the SANs. You can also create just one key if you create keys if you want. However, you will still need to make sure there are seven copies of that certificate and seven copies of that key (if you created keys) named as indicated previously. Do not create a wildcard certificate.

Automation 360