Hi Free5GC Community,

I’m working on integrating Free5GC with OpenBao (HashiCorp Vault fork) for certificate management and need to understand how the default certificates were generated.

Background:
I’m trying to replicate the certificate structure from https://github.com/free5gc/free5gc/tree/main/cert using OpenBao’s PKI secrets engine. To do this properly, I need to know the exact OpenSSL commands or certificate generation process that was used to create the original certificates.

What I Need:

Could someone from the Free5GC team or community please share:

Root CA generation commands - How was the root CA certificate and private key created?

Network Function certificates - What OpenSSL commands were used to generate the individual NF certificates (amf.pem, nrf.pem, etc.)?

Certificate extensions and parameters - What specific key usage, extended key usage, and other X.509 extensions were applied?

Certificate signing process - How were the NF certificates signed by the root CA?

Example of what I’m looking for:

Something like this for root CA:

openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650
-out rootCA.pem -subj “/C=TW/ST=Taiwan/L=Taipei/O=free5GC Project/CN=free5GC Root CA”

And for NF certificates:

openssl genrsa -out nrf.key 2048
openssl req -new -key nrf.key -out nrf.csr -subj “/CN=nrf.free5gc.org”
openssl x509 -req -in nrf.csr -CA rootCA.pem -CAkey rootCA.key -out nrf.pem
Why This Matters:
Understanding the original certificate generation process will help me:

Configure OpenBao PKI engine with the correct parameters
Ensure OAuth2 token generation works properly with the NRF
Maintain compatibility with Free5GC’s certificate expectations
Automate certificate lifecycle management

Current Issue:
I’m getting OAuth2-related certificate verification errors, and I suspect it’s because my OpenBao-generated certificates don’t match the exact specifications of the original Free5GC certificates.
Any help, documentation links, or insights would be greatly appreciated!

Thanks in advance!

Environment:

Use Case: Enterprise Free5GC deployment with centralized certificate management
Version: Free5GC v3.4.x
Related: PKI, OAuth2, NRF certificate management

Sample errors when AMF tries to communicate with AUSF:

Unauthorized: verify OAuth parse: token signature is invalid: crypto/rsa: verification error

kubectl -n telco logs deploy/core5g-ausf-deployment

    `indent preformatted text by 4 spaces`
Defaulted container "ausf" out of: ausf, wait-for-nrf (init)
2025-06-30T18:06:14.836873230Z [INFO][AUSF][Main] AUSF version:
        free5GC version: v4.0.0
        build time:      2025-03-03T11:39:34Z
        commit hash:     6ef66bb8
        commit time:     2025-03-03T11:31:57Z
        go version:      go1.21.8 linux/amd64
2025-06-30T18:06:14.837254021Z [INFO][AUSF][CFG] Read config from [config/ausfcfg.yaml]
2025-06-30T18:06:14.840564854Z [INFO][AUSF][Main] Log enable is set to [true]
2025-06-30T18:06:14.840615729Z [INFO][AUSF][Main] Log level is set to [debug]
2025-06-30T18:06:14.840636994Z [INFO][AUSF][Main] Report Caller is set to [false]
2025-06-30T18:06:14.840701489Z [INFO][AUSF][Init] ausfconfig Info: Version[1.0.3] Description[AUSF initial local configuration]
ausf context =  &{{{0 0} {[] {} <nil>} map[] 0} {{0 0} {[] {} <nil>} map[] 0} b9475e8d-59b0-4500-b446-1a64bff928df ausfGroup001 8000 ausf.telco.svc.cluster.local 0.0.0.0 https://ausf.telco.svc.cluster.local:8000 https https://nrf.telco.svc.cluster.local:8000 /etc/ssl/nrf/tls.crt map[nausf-auth:{b9475e8d-59b0-4500-b446-1a64bff928df nausf-auth [{v1 1.0.3 <nil>}] https REGISTERED   [{ausf.telco.svc.cluster.local   8000}]  [] [] [] [] [] [] map[] map[] 0 0 0 <nil> <nil>  [] [] []  map[] false <nil>}] [{208 93}]  0xc0006b00a0 false false}
2025-06-30T18:06:14.841055091Z [INFO][AUSF][SBI] Binding addr: [0.0.0.0:8000]
2025-06-30T18:06:14.841107006Z [INFO][AUSF][Init] Server started
2025-06-30T18:06:24.844607003Z [ERRO][AUSF][Consumer] AUSF register to NRF Error[Put "https://nrf.telco.svc.cluster.local:8000/nnrf-nfm/v1/nf-instances/b9475e8d-59b0-4500-b446-1a64bff928df": net/http: request canceled (Client.Timeout exceeded while awaiting headers)]
2025-06-30T18:06:34.977170243Z [INFO][AUSF][Main] OAuth2 setting receive from NRF: true
2025-06-30T18:06:34.977219002Z [INFO][AUSF][SBI] Start SBI server (listen on 0.0.0.0:8000)
2025-06-30T18:08:30.861509080Z [DEBU][AUSF][Util] AUSFContext::AuthorizationCheck: token[Bearer eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiIiLCJzdWIiOiIzNjU2MTZkNC0wMGNkLTQ2MjgtOTJhMi04NDlmODUwODQ3YTEiLCJhdWQiOiIiLCJzY29wZSI6Im5hdXNmLWF1dGgiLCJleHAiOjE3NTEzMDc5MTAsImlhdCI6MTc1MTMwNjkxMH0.DyyWlzVK2ZfXJvXs3JoEY2GZpihuzlZ-6hEq98eKWwCuETt9E0MWYVyJZdCuK1EhHejIAnTgFx4vDuo5CeIL4krEWSzPgth7-1HJhQIv-S6qNUr0rhlTV7CLaLvkJKGsAFC8jhearkniw3eSRxbqMhHmf7lfM-Qxz65YhpDljfHBmRcdm0FaGVQV1NPyiMS0LFoJ-GABDglWkwsHMdTpIyOgykc3a9DaXtsCjE6_Z7lNRoDHI6O-ELfPYfx1D3SS-cBkd9ax9QTI-V7W7QeVX4gyqRaufiNn_TDz3Ri_hkpiH2usSmKnpt_o6BY5yJzC8Y4cV9tqukOMi7u5e6Mxyw] serviceName[nausf-auth]
2025-06-30T18:08:30.862152376Z [DEBU][AUSF][Util] RouterAuthorizationCheck: Check Unauthorized: verify OAuth parse: token signature is invalid: crypto/rsa: verification error
2025-06-30T18:08:30.862201386Z [INFO][AUSF][GIN] | 401 |    10.1.111.156 | POST    | /nausf-auth/v1/ue-authentications |
2025-06-30T18:08:41.863511099Z [DEBU][AUSF][Util] AUSFContext::AuthorizationCheck: token[Bearer eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiIiLCJzdWIiOiIzNjU2MTZkNC0wMGNkLTQ2MjgtOTJhMi04NDlmODUwODQ3YTEiLCJhdWQiOiIiLCJzY29wZSI6Im5hdXNmLWF1dGgiLCJleHAiOjE3NTEzMDc5MjEsImlhdCI6MTc1MTMwNjkyMX0.SdI9eGgqbdbFdgk7oq3cht8dixunMHyYZj90UeFC3Ztj76fqfTD66j7H5gynoK8QbioKmg23Nh6aoxE7D_kSdSSYTMp9145X-YDtmMU5__8uhqXwwBaK0BlUoWHsP-me38jsyNLDni0TD_QQbDDBzS5n71BI3MnbPSXxA1y4g0iL4OKpCY9N3dIatj5zURDGuyccahzLtMDGp27ls-vnbAgJXdZhy29i6rP1WEpn9cCtk-elh-dpMqx7byTMSdXRi-B6VoB3NX9fpUNMImLLDWD10VaxKemDlE5Qv-iJAXRBEJlEQhDdUySh3ikxMRclcqrPkhsczab0teLNCDsQYA] serviceName[nausf-auth]
2025-06-30T18:08:41.864056308Z [DEBU][AUSF][Util] RouterAuthorizationCheck: Check Unauthorized: verify OAuth parse: token signature is invalid: crypto/rsa: verification error

Hi,

Our team will respond and address it via the GitHub issues page.

Best regards,
Peggy