Registering SSL-VPN certificates (V2 service/self-signed certificate)

This section explains the procedure for registering certificates for SSL-VPN in the K5 IaaS key management function.

Register the CA certificate.
```
$ CA_NAME=ca (Fixed value)
```
Note:
Specify the above fixed value for CA_NAME.

If the fixed value is not specified, an error will occur when creating the SSL-VPN connection.
```
$ EXPIRATION="<CA Certificate Term of Validity (Optional)>"
```
Note:
Specify the <CA_Certificate_Term_of_Validity_(Optional)> using the format YYYY-MM-DDThh:mm:ss.

As the parameter contains metacharacters, enclose it in double quotes.
```
$ CONTENT_TYPE=text/plain
```
Execute the following API.
```
$ curl -X POST -sS -i $KEYMANAGEMENT/v1/$PROJECT_ID/secrets \
-H "X-Auth-Token:$OS_AUTH_TOKEN" -H "Content-Type: application/json" \
-d '{"name":"'$CA_NAME'", "expiration": "'$EXPIRATION'",
 "payload": "<CA_Certificate_Content>",
 "payload_content_type": "'$CONTENT_TYPE'" }'
```
Note:
Configure the <CA_Certificate_Content> using the following procedure.
- Display the information of the CA certificate using the above cat command.
- Copy the retrieved information which starts with "-----BEGIN CERTIFICATE-----" and ends with "-----END CERTIFICATE-----".
- Use a text editor, etc. to replace the line feed codes with the character string "\n".
- Use the edited information for the <CA_Certificate_Content>.
If the response code 201 is output as shown below, then registration is complete.
```
HTTP/1.1 100 Continue

HTTP/1.1 201 Created
X-Fcx-Endpoint-Request: EXECUTED_REQ000256040_201
Location: http://keymanagement.<Region Identifier>.cloud.global.fujitsu.com/<Project ID>/secrets/<CA Certificate ID>
Content-Type: application/json;charset=UTF-8
Content-Length: 155
Date: Www, DD MMM yyyy hh:mm:ss GMT
{"secret_ref": "https://keymanagement.<Region Identifier>.cloud.global.fujitsu.com/v1/<Project ID>/secrets/<CA Certificate ID>"}
```
Register the server certificate.
```
$ SV_CERT_NAME=server_certificate (Fixed value)
```
Note:
Specify the above fixed value for SV_CERT_NAME.

If the fixed value is not specified, an error will occur when creating the SSL-VPN connection.
```
$ EXPIRATION="<Server Certificate Term of Validity (Optional)>"
```
Note:
Specify the <Server_Certificate_Term_of_Validity_(Optional)> using the format YYYY-MM-DDThh:mm:ss.

By default, the term of validity of the server certificate is configured as 10 years after the time of creation of the certificate. Specify a term of validity less than or equal to 10 years.

As the parameter contains metacharacters, enclose it in double quotes.
```
$ CONTENT_TYPE=text/plain
```
Execute the following API.
```
$ curl -X POST -sS -i $KEYMANAGEMENT/v1/$PROJECT_ID/secrets \
-H "X-Auth-Token: $OS_AUTH_TOKEN" -H "Content-Type: application/json" \
-d '{"name":"'$SV_CERT_NAME'", "expiration": "'$EXPIRATION'",
 "payload": "<Server_Certificate_Content>",
 "payload_content_type": "'$CONTENT_TYPE'" }'
```
Note:
Configure the <Server_Certificate_Content> using the following procedure.
- Display the information of the server certificate using the above cat command.
- Copy the retrieved information which starts with "-----BEGIN CERTIFICATE-----" and ends with "-----END CERTIFICATE-----".
- Use a text editor, etc. to replace the line feed codes with the character string "\n".
- Use the edited information for the <Server_Certificate_Content>.
If the response code 201 is output as shown below, then registration is complete.
```
HTTP/1.1 100 Continue

HTTP/1.1 201 Created
X-Fcx-Endpoint-Request: EXECUTED_REQ000225866_201
Location: http://keymanagement.<Region Identifier>.cloud.global.fujitsu.com/<Project ID>/secrets/<Server Certificate ID>
Content-Type: application/json;charset=UTF-8
Content-Length: 155
Date: Www, DD MMM yyyy hh:mm:ss GMT
{"secret_ref": "https://keymanagement.<Region Identifier>.cloud.global.fujitsu.com/v1/<Project ID>/secrets/<Server Certificate ID>"}
```
Register the private key for the server certificate.
```
$ SV_KEY_NAME=server_key (Fixed value)
```
Note:
Specify the above fixed value for SV_KEY_CERT_NAME.

If the fixed value is not specified, an error will occur when creating the SSL-VPN connection.
```
$ EXPIRATION="<Private Key for Server Certificate Term of Validity (Optional)>"
```
Note:
Specify the <Private_Key_for_Server_Certificate_Term_of_Validity_(Optional)> using the format YYYY-MM-DDThh:mm:ss.

By default, the term of validity of the private key for the server certificate is configured as 10 years after the time of creation of the private key. Specify a term of validity less than or equal to 10 years.

As the parameter contains metacharacters, enclose it in double quotes.
```
$ CONTENT_TYPE=text/plain
```
Execute the following API.
```
$ curl -X POST -sS -i $KEYMANAGEMENT/v1/$PROJECT_ID/secrets \
-H "X-Auth-Token:$OS_AUTH_TOKEN" -H "Content-Type: application/json" \
-d '{"name":"'$SV_KEY_NAME'", "expiration": "'$EXPIRATION'", 
 "payload":"<Private Key for Server Certificate Content>",
 "payload_content_type": "'$CONTENT_TYPE'" }'
```
Note:
Configure the <Private_Key_for_Server_Certificate_Content> using the following procedure.
- Display the information of the private key for the server certificate using the above cat command.
- Copy the retrieved information which starts with "-----BEGIN PRIVATE KEY-----" and ends with "-----END PRIVATE KEY-----".
- Use a text editor, etc. to replace the line feed codes with the character string "\n".
- Use the edited information for the <Private_Key_for_Server_Certificate_Content>.
If the response code 201 is output as shown below, then registration is complete.
```
HTTP/1.1 100 Continue

HTTP/1.1 201 Created
X-Fcx-Endpoint-Request: EXECUTED_REQ000257600_201
Location: http://keymanagement.<Region Identifier>.cloud.global.fujitsu.com/<Project ID>/secrets/<ID of Private Key for Server Certificate>
Content-Type: application/json;charset=UTF-8
Content-Length: 155
Date: Www, DD MMM yyyy hh:mm:ss GMT
{"secret_ref": "https://keymanagement.<Region Identifier>.cloud.global.fujitsu.com/v1/<Project ID>/secrets/<ID of Private Key for Server Certificate>"}
```
Register the DH key.
```
$ DH_NAME=dh (Fixed value)
```
Note:
Specify the above fixed value for DH_NAME.

If the fixed value is not specified, an error will occur when creating the SSL-VPN connection.
```
$ EXPIRATION="<DH Key Term of Validity (Optional)>"
```
Note:
Specify the <DH_Key_Term_of_Validity_(Optional)> using the format YYYY-MM-DDThh:mm:ss.

As the parameter contains metacharacters, enclose it in double quotes.
```
$ CONTENT_TYPE=text/plain
```

Execute the following API.

$ curl -X POST -sS -i $KEYMANAGEMENT/v1/$PROJECT_ID/secrets \
-H "X-Auth-Token:$OS_AUTH_TOKEN" -H "Content-Type: application/json" \
-d '{"name":"'$DH_NAME'", "expiration": "'$EXPIRATION'",
 "payload":"<DH Key Content>", "payload_content_type": "'$CONTENT_TYPE'" }'

Note:

Configure the <DH_Key_Content> using the following procedure.

Display the information of the DH key using the above cat command.
Copy the retrieved information which starts with "-----BEGIN DH PARAMETERS-----" and ends with "-----END DH PARAMETERS-----".
Use a text editor, etc. to replace the line feed codes with the character string "\n".
Use the edited information for the <DH_Key_Content>.

If the response code 201 is output as shown below, then registration is complete.

HTTP/1.1 100 Continue

HTTP/1.1 201 Created
X-Fcx-Endpoint-Request: EXECUTED_REQ000229580_201
Location: http://keymanagement.<Region Identifier>.cloud.global.fujitsu.com/<Project ID>/secrets/<DH Key ID>
Content-Type: application/json;charset=UTF-8
Content-Length: 155
Date: Www, DD MMM yyyy hh:mm:ss GMT
{"secret_ref": "https://keymanagement.<Region Identifier>.cloud.global.fujitsu.com/v1/<Project ID>/secrets/<DH Key ID>"}

Execute the following API to confirm the certificates that were registered using this procedure.

$ curl -X GET -sS $KEYMANAGEMENT/v1/$PROJECT_ID/secrets \
 -H "X-Auth-Token: $OS_AUTH_TOKEN" | jq .

If the registered certificates are output as shown below, then creation is complete.

{
  "total": 4,
  "secrets": [
    {
      "expiration": "<CA Certificate Term of Validity>",
      "bit_length": null,
      "status": "ACTIVE",
      "secret_ref": "https://keymanagement.<Region Identifier>.cloud.global.fujitsu.com/v1/<projectId>/secrets/<caCertificateID>",
      "updated": "YYYY-MM-DDThh:mm:ss.SSS",
      "name": "ca",
      "algorithm": null,
      "created": "YYYY-MM-DDThh:mm:ss.SSS",
      "content_types": {
        "default": "text/plain"
      },
      "mode": null
    },
    {
      "expiration": "<Server Certificate Term of Validity>",
      "bit_length": null,
      "status": "ACTIVE",
      "secret_ref": "https://keymanagement.<Region Identifier>.cloud.global.fujitsu.com/v1/<projectId>/secrets/<serverCertificateId>",
      "updated": "YYYY-MM-DDThh:mm:ss.SSS",
      "name": "server_certificate",
      "algorithm": null,
      "created": "YYYY-MM-DDThh:mm:ss.SSS",
      "content_types": {
        "default": "text/plain"
      },
      "mode": null
    },
    {
      "bit_length": null,
      "status": "ACTIVE",
      "secret_ref": "https://keymanagement.<Region Identifier>.cloud.global.fujitsu.com/v1/<projectId>/secrets/<idOfPrivateKeyForServerCertificate>",
      "updated": "YYYY-MM-DDThh:mm:ss.SSS",
      "name": "server_key",
      "algorithm": null,
      "created": "YYYY-MM-DDThh:mm:ss.SSS",
      "content_types": {
        "default": "text/plain"
      },
      "mode": null
    },
    {
      "expiration": "<DH Key Term of Validity (Optional)>",
      "bit_length": null,
      "status": "ACTIVE",
      "secret_ref": "https://keymanagement.<Region Identifier>.cloud.global.fujitsu.com/v1/<projectId>/secrets/<dhKeyId>",
      "updated": "YYYY-MM-DDThh:mm:ss.SSS",
      "name": "dh",
      "algorithm": null,
      "created": "YYYY-MM-DDThh:mm:ss.SSS",
      "content_types": {
        "default": "text/plain"
      },
      "mode": null
    }
  ]
}

Note: Take a note of the "secret_ref" values for the certificates registered using this procedure, as these values will be used during "Creating an SSL-VPN connection (V2 service/self-signed certificate)".