Generating a self-signed certificate

Every host that is running a Amazon DCV Access Console component needs to have a certificate. If you are bringing your own certificate, you don’t need to follow these instructions.

Note

Note that this requires the OpenJDK version 1.8 to be installed on the system.

Connect to the host that requires a self-signed certificate.

Create a directory to store the certificate.


$ sudo mkdir -p /usr/local/var/dcv-access-console/security/


$ cd/usr/local/var/dcv-access-console/security/

Create the subject of the certificate using the public DNS for the host.
```
$ CERT_SUBJ="/CN=public DNS"
```
Set the keystore password. If you have not changed it, the password is changeit.
```
$ CERT_PASSWORD="changeit"
```

Create the RootCA and use it to sign the certificate.


$ sudo openssl req -new -x509 -nodes -newkey rsa:2048 -out rootCA.pem -keyout rootCA.key -subj "$CERT_SUBJ" -days 1825


$ sudo openssl req -new -sha256 -nodes -newkey rsa:2048 -out server.csr -keyout server.key -passout pass:$CERT_PASSWORD -subj "$CERT_SUBJ"


$ sudo openssl x509 -req -sha256 -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.pem -days 1825

Create the PKCS12 file.


$ sudo openssl pkcs12 -export -nodes -in server.pem -inkey server.key -out keystore.p12 -name server -passin pass:$CERT_PASSWORD -password pass:$CERT_PASSWORD

Import the RootCA and the certificate into the keystore.


$ sudo keytool -import -alias rootca -cacerts -storepass $CERT_PASSWORD -file rootCA.pem -noprompt


$ sudo keytool -import -alias server -cacerts -storepass $CERT_PASSWORD -file server.pem -noprompt

Take note of the paths to:

server.pem
server.key
keystore.p12

You will need them during configuration.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Verifying the setup

Getting started