Creating self-signed SSL certificates

The shell script createCertificate.sh makes it easy to create self-signed SSL certificates for the FIT Server. The script accepts one or more domain names and generates the respective certificates along with keys and CSR files. All files are stored in /opt/sevenval/fit14/conf/ssl/.

Existing files are never overwritten.

Example: The following command creates a certificate, a key and a CSR file for m.example.net:

$ /opt/sevenval/fit14/lib/fit/bin/createCertificate.sh \
  m.example.net

The specified domain name m.example.net will be the CommonName<user>@<local machine> will be used as the email address.

If you use the option --interactive, the script will query the data for the certificate and store them in the CSR file:

$ /opt/sevenval/fit14/lib/fit/bin/createCertificate.sh  \
  --interactive  m.example.net  m.example.com

Managing trusted root CAs

Since Version 14.1.0, FIT does not supply its own bundle of CA Certificates anymore, but relies on the packages and mechanisms supplied by the underlying Linux distribution instead.

SUSE Linux Enterprise Server and OpenSUSE

On SLES and OpenSUSE, FIT uses OpenSSL for outgoing HTTPS connections and certificate validation. Refer to the man pages for update-ca-certificates and c_rehash as well as the documentation included in the ca-certificates and ca-certificates-mozilla packages.

Ubuntu

On Ubuntu, FIT uses OpenSSL for outgoing HTTPS connections and certificate validation. Refer to the documentation for update-ca-certificates, c_rehash as well as the documentation included in the ca-certificates package.

Red Hat Enterprise Linux

FIT uses NSS for outgoing HTTPS connections and certificate validation on Red Hat Enterprise Linux and CentOS. Refer to the documentation for certutil as well as the documentation included in the nss, nss-tools and ca-certificates packages.