You Are Visitor: [Image] [Previous] [Next] [Table of Contents] ------------------------------------------------------------------------ 3.1 Configuring file for generating your own SSL certificates. You did everything outlined in Compiling SSLeay for OpenVMS and you want to generate SSL certificates. Here's what you have to do. 1. Pick a place where you want to store all your certificate files (we will assume you will call it SSL_CERTS for the purpose of this exercise) and you need to create the directories CERTS, CRL, NEWCERTS and PRIVATE. $ CREATE/DIRECTORY [.SSL_CERTS] $ CREATE/DIRECTORY [.SSL_CERTS.CERTS] $ CREATE/DIRECTORY [.SSL_CERTS.CRL] $ CREATE/DIRECTORY [.SSL_CERTS.NEWCERTS] $ CREATE/DIRECTORY [.SSL_CERTS.PRIVATE] 2. Create a file in the [.PRIVATE] directory called RANDFILE.; that will contain a few hundred bytes of random data that will be used to prime the random number generators in the encrypton libraries. The easiest way is to just do a SHOW SYSTEM/FULL into a file. $ SHOW SYSTEM/FULL/OUTPUT=[.SSL_CERTS.PRIVATE]RANDFILE.; 3. Define the logical RANDFILE to point to where the RANDIFLE.; file is kept. $ DEFINE/SYSTEM/EXEC RANDFILE DISK$WORK:[SSL_CERTS.PRIVATE]RANDFILE.; 4. Create the file INDEX.TXT with nothing in it and place it in the [.SSL_CERT] directory. 5. Create the file SERIAL.; with a just "01" in it and place it in the [.SSL_CERT] directory. 6. Copy the [.SSLEAY-0_8_1A.APPS]SSLEAY-VMS.CNF file into the [.SSL_CERT] directory. 7. Edit the [.SSL_CERT]SSLEAY-VMS.CNF file and edit the line. dir = sys\$disk:[.demoCA #Where everything is kept to point to the top of your "SSL_CERT" directory tree like this. dir = disk\$work:[ssl_cert #Where everything is kept Also edit the line for the RANDFILE.;. RANDFILE = $dir.private].rand # private random number file to look like... RANDFILE = $dir.private]RANDFILE.; # private random number file and just completely remove the line. RANDFILE = $ENV::HOME/.rnd at the top of the file. 8. You might also want to look through this file to customize other settings like the default_bits for key generation. ------------------------------------------------------------------------ 3.2 Creating your own self-signed SSL certificate. You did everything outlined in Configuring files for generating your own SSL certificates and everything outlined in Installing SSLeay for OpenVMS and you want to generate your own self-signed SSL certificate. Here are the steps. 1. Execute the [.SSLEAY-0_8_1A.VMS]SSLEAY_UTILS.COM file to define the symbols for the SSLeay utilities. $ @[.SSLEAY-0_8_1A.VMS]SSLEAY_UTILS.COM 2. Go to the top of your "SSL_CERT" directory. $ SET DEFAULT [.SSL_CERTS] 3. Now, generate a certificate request using the REQ utility. $ REQ -config ssleay-vms.cnf -nodes -new -days 365 -x509 -keyout test_key.pem -out test.pem Here's a description of what the parameters mean. -config Which configuration file to use. -nodes Don't DES encode the output key. (This is only necessary if the certificate is going to be use with the OpenVMS OSU HTTPD server or a application that don't allow key passwords to be specified.) -new This is a new certificate request. -days The number of days the x509 certificate is good for. -x509 Output a X509 certificate instead of a regular certificate request. -keyout File to output the key to. -out File to output the certificate to. 4. The REQ program will ask you some questions and just answer them. You have to make sure that when the REQ program asks you. Common Name (eg, YOUR name) []: that if you intend to use this on a WEB server to use the internet host name that the server resolves to here. So if your server resolves to "beavis.buttnet.net" enter that here. 5. If that went well, you should have two files, the key file and the certificate file. You now need to append the key file (the one you generated when you created the certificate) to the end of the certificate file. $ APPEND TEST_KEY.PEM TEST.PEM 6. Now use the VERIFY utility to "verify" the certificate. $ VERIFY TEST.PEM 7. If that went well and the VERIFY utility says that its O.K. then you have a working self-signed certificate. ------------------------------------------------------------------------ 3.3 Creating SSL certificate request to send to a CA. You did everything outlined in Configuring files for generating your own SSL certificates and everything outlined in Installing SSLeay for OpenVMS and you want to generate a SSL certificate request to send to a CA. Here are the steps. 1. Execute the [.SSLEAY-0_8_1A.VMS]SSLEAY_UTILS.COM file to define the symbols for the SSLeay utilities. $ @[.SSLEAY-0_8_1A.VMS]SSLEAY_UTILS.COM 2. Go to the top of your "SSL_CERT" directory. $ SET DEFAULT [.SSL_CERTS] 3. Now, generate a certificate request using the REQ utility. $ REQ -config ssleay-vms.cnf -nodes -new -days 365 -keyout -newreq_key.pem -out newreq.pem Here's a description of what the parameters mean. -config Which configuration file to use. -nodes Don't DES encode the output key. (This is only necessary if the certificate is going to be use with the OpenVMS OSU HTTPD server or a application that don't allow key passwords to be specified.) -new This is a new certificate request. -days The number of days the x509 certificate is good for. -keyout File to output the key to. -out File to output the certificate request to. 4. The REQ program will ask you some questions and just answer them. You have to make sure that when the REQ program asks you. Common Name (eg, YOUR name) []: that if you intend to use this on a WEB server to use the internet host name that the server resolves to here. So if your server resolves to "beavis.buttnet.net" enter that here. You will also see where it will ask you to enter "extra" attributes. Unless the CA you are sending the request to tells you to, just leave these blank and just press though them. 5. If that went well, you should have two files, the key file and the certificate file. 6. Send the ceritficate file to the CA and hold the key file in a safe place. 7. When you get your signed certificate back from the CA, you will have to append your key (the one you generated with the certificate request) to the end of the signed certificate. $ APPEND NEWREQ_KEY.PEM SIGNED_NEWREQ.PEM ------------------------------------------------------------------------ 3.4 Creating your own CA certificate. You did everything outlined in Configuring files for generating your own SSL certificates and everything outlined in Installing SSLeay for OpenVMS and you want to generate your very own CA certificate to sign certificate requests. Here are the steps. 1. Execute the [.SSLEAY-0_8_1A.VMS]SSLEAY_UTILS.COM file to define the symbols for the SSLeay utilities. $ @[.SSLEAY-0_8_1A.VMS]SSLEAY_UTILS.COM 2. Go to the top of your "SSL_CERT" directory. $ SET DEFAULT [.SSL_CERTS] 3. Now, generate a certificate request using the REQ utility. $ REQ -config ssleay-vms.cnf -new -x509 -days 365 -keyout [.private]cakey.pem -out cacert.pem Here's a description of what the parameters mean. -config Which configuration file to use. -new This is a new certificate request. -x509 Output a X509 certificate instead of a regular certificate request. -days The number of days the the x509 generated certificate is good for. -keyout File to output the key to. -out File to output the certificate to. 4. The REQ program will ask you to enter a PEM password. This is to encrypt the CA key so that only YOU or someone that knows the password can sign certificates. SO KEEP YOUR PASSWORD SAFE! 5. The REQ program will ask you some questions and just answer them. You have to make sure that when the REQ program asks you. Common Name (eg, YOUR name) []: that you use YOUR name or something like "CA Authority" and NOT your SERVER name. 6. If all went well, you should have the file CACERT.PEM in the top of your "SSL_CERTS" directory and the CAKEY.PEM file in the PRIVATE directory. You might want to protect the PRIVATE directory to prevent others from accessing your CA key. 7. Now use the VERIFY utility to "verify" the certificate. $ VERIFY CACERT.PEM 8. If that went well and the VERIFY utility says that its O.K. then you have a CA certificate. ------------------------------------------------------------------------ 3.5 Signing SSL certificate requests with your CA certificate. You did everything outlined in Configuring files for generating your own SSL certificates and everything outlined in Installing SSLeay for OpenVMS and you created a CA certificate as outlined in Creating your own CA certificate and you want to sign certificate requests. Here are the steps. 1. Execute the [.SSLEAY-0_8_1A.VMS]SSLEAY_UTILS.COM file to define the symbols for the SSLeay utilities. $ @[.SSLEAY-0_8_1A.VMS]SSLEAY_UTILS.COM 2. Take the certificate request file (we'll assume it is called NEWREQ.PEM for this example) and put it in the top of your "SSL_CERT" directory. 3. Go to the top of your "SSL_CERT" directory. $ SET DEFAULT [.SSL_CERTS] 4. Execute the CA program with the following options to sign the certificate request. $ CA -config ssleay-vms.cnf -policy policy_anything -out [.certs]signed_newreq.pem -infiles newreq.pem Here's a description of what the parameters mean. -config Which configuration file to use. -policy Which "policy" in the configuration file to use. -out File to output the signed certificate to. -infiles The file containing the certificate request we are going to sign. 5. The CA program will ask you to enter the PEM password. This is the password you entered when you created the CA key to encode it so that only you can access it. 6. You will then be shown the information about the certificate. If it looks good to you (and you know the source, etc.) then you will be asked if you want to sign the certificate. 7. The CA program will then tell you that the certificate request was certified and if you want to commit it. 8. If that went well, the signed certificate file SIGNED_NEWREQ.PEM should be placed in the [.CERTS] directory. 9. Now use the VERIFY utility to "verify" the signed certificate. $ VERIFY "-CApath" sys$disk:[] "-CAfile" cacert.pem [.certs]signed_newreq.pem 10. If that went well and the VERIFY utility says that its O.K. then you have sucessfully signed the certificate request and you can send the [.CERTS]SIGNED_NEWREQ.PEM to the user. ------------------------------------------------------------------------ [Previous] [Next] [Table of Contents]