First published on MSDN on May 19, 2017
In this article, we will look into how to generate a self-signed certificate in Linux and use it for access token signing in
R Server Operationalization
Web Node. You must use a certificate for access token signing whenever you have multiple web nodes so that the tokens are signed consistently by every web node in your configuration. A certificate with a private key is required to sign the user access tokens between the web node and the LDAP server. Tokens are particularly useful to the application developer who can use them to
identify and authenticate the user
who is sending the API call within her or his application.
To try this out, you can spin up one of the R Server Linux images that are available in the Azure Portal:
1. Switch to root user and navigate to home directory /root
If you already have a certificate from Trusted Certificate Authority , skip step 2 and move to step 3.
2. Generate Self-Signed Certificate (.pfx file)
We are limited to using pfx files since dotnet core can
read private keys only from pfx files
. Using subjectName CN=LOCALHOST here, you can replace with a subject name of your choice.
openssl genrsa -out privateKey.pem 2048
openssl req -new -x509 -key privateKey.pem -out publicCert.pem -days 3650 -nodes -subj "/CN=LOCALHOST"
openssl pkcs12 -export -out merged.pfx -inkey privateKey.pem -in publicCert.pem -passout pass:
3. Install Certificate using dotnet code
Only Root and CertificateAuthority are supported for StoreName in Linux. We will use
Root as StoreName
since we start the WebNode as root user. On Linux, we don’t have any notion of machine-owned private keys, because Linux doesn’t have a machine-level private key store, and the LocalMachine\Root is loaded with that knowledge (it loads only X.509 PEM, X.509 DER, and X.509 PEM-series files). Hence, we will use
dotnet new console -o InstallCert
If the program ran successfully without any errors, certificate will be installed in the following path with its thumbprint as file name:
4. Modify /usr/lib64/microsoft-r/rserver/o16n/9.1.0/Microsoft.RServer.WebNode/appsettings.json with the following JWTSigningCertificate information:
"Description": "Enable this section if you want to sign the access token with a certificate instead of a randomly generated key",
At this point, you will see that JWTKey has a 'not set' value in appsettings.json file :
"JWTKey": "not set"
6. Once the webnode starts successfully, check /usr/lib64/microsoft-r/rserver/o16n/9.1.0/Microsoft.RServer.WebNode/appsettings.json to see if the JWTKey has been generated :
If you have multiple web nodes, Copy paste the certificate to all other webnodes and perform step 3 to 6.