You have done the following:
Compiled OpenSSL for OpenVMS as outlined in. Compiling OpenSSL for OpenVMS
Installed the OpenSSL files as outlined in, Installing OpenSSL for OpenVMS
And executed the OPENSSL_STARTUP.COM file.
and now you want to generate SSL certificates.
Here's what you have to do.
Go to the directory where you told the OpenSSL INSTALL.COM script to put your OpenSSL files. The simplest way to do this is to go to the SSLROOT: directory which is the "root" directory of your installed OpenSSL kit.
$ SET DEFAULT SSLROOT:[000000]
Create the directories of CRL and NEWCERTS.
$ CREATE/DIRECTORY [.CRL]
$ CREATE/DIRECTORY [.NEWCERTS]
Create a file in the [.PRIVATE] directory called RANDFILE.; that will contain a few hundred bytes of random data that will be used to prime the random number generators in the encrypton libraries. The easiest way is to just do a SHOW SYSTEM/FULL into a file.
$ SHOW SYSTEM/FULL/OUTPUT=SSLROOT:[PRIVATE]RANDFILE.;
Define the logical RANDFILE to point to where the RANDIFLE.; file is kept.
$ DEFINE/SYSTEM/EXEC RANDFILE SSLROOT:[PRIVATE]RANDFILE.;
Create the file INDEX.TXT with nothing in it and place it in the SSLROOT:[000000] directory.
Create the file SERIAL.; with a just "01" in it and place it in the SSLROOT:[000000] directory.
Edit the OPENSSL.CNF file and modify the line.
dir = sys\$disk:[.demoCA #Where everything is kept
to point to SSLROOT:[000000] directory tree like this.
dir = SSLROOT:[000000 #Where everything is kept
Also modify the line for the RANDFILE.;.
RANDFILE = $dir.private].rand # private random number file
to look like...
RANDFILE = $dir.private]RANDFILE.; # private random number file
and just completely remove the line.
RANDFILE = $ENV::HOME/.rnd
at the top of the file.
Now, depending on what you want, you have the following option. If you want a user certificate for just a server, find the following lines...
# This is OK for an SSL server.
# nsCertType = server
and modify it to look like....
# This is OK for an SSL server.
nsCertType = server
If you want a user certificate for "everything", don't do the above and find the lines....
# and for everything including object signing:
# nsCertType = client, email, objsign
and modify these lines instead to look like...
# and for everything including object signing:
nsCertType = client, email, objsign, server
Now, for a CA certificate, find the following lines...
# Some might want this also
# nsCertType = sslCA, emailCA
and modify them to look like...
# Some might want this also
nsCertType = sslCA, emailCA, server
You might also want to look through this file to customize other settings like the default_bits for key generation.
You have done the following:
Compiled OpenSSL for OpenVMS as outlined in. Compiling OpenSSL for OpenVMS
Installed the OpenSSL files as outlined in, Installing OpenSSL for OpenVMS
Configured the necessary files as outlined in. Configuring files for generating your own SSL certificates.
And executed the OPENSSL_STARTUP.COM file.
and you want to generate your own self-signed SSL certificate.
Here are the steps.
Execute the SSLROOT:[VMS]OPENSSL_UTILS.COM file to define the symbol for the OPENSSL utility.
$ @SSLROOT:[VMS]OPENSSL_UTILS.COM
Go to your SSLROOT:[000000] directory.
$ SET DEFAULT SSLROOT:[000000]
Now, generate a certificate request using the OPENSSL utility.
$ OPENSSL
OpenSSL> req -config openssl.cnf -nodes -new -days 365 -x509
-keyout test_key.pem -out test.pem
Here's a description of what the parameters mean.
-config Which configuration file to use.
-nodes Don't DES encode the output key.
(This is only necessary if the certificate
is going to be use with the OpenVMS OSU
HTTPD server or a application that don't
allow key passwords to be specified.)
-new This is a new certificate request.
-days The number of days the x509 certificate
is good for.
-x509 Output a X509 certificate instead of a
regular certificate request.
-keyout File to output the key to.
-out File to output the certificate to.
The program will ask you some questions and just answer them. You have to make sure that when the OPENSSL program asks you.
Common Name (eg, YOUR name) []:
that if you intend to use this on a WEB server to use the servers host name. So if the server will be referenced in DNS tables as "www.buttnet.net" that you enter that here. This also applies to CNAME DNS entries referencing your WWW server. If the "offical" DNS host name of your server is "beavis.buttnet.net" and you have a CNAME DNS entry of "www.buttnet.net" and you are going to use "www.buttnet.net" for your server, you need to enter "www.buttnet.net" here.
If that went well exit the OPENSSL program. You should have two files, the key file and the certificate file. You now need to append the key file (the one you generated when you created the certificate) to the end of the certificate file.
$ APPEND TEST_KEY.PEM TEST.PEM
Now use OPENSSL to "verify" the certificate.
$ OPENSSL
OpenSSL> verify test.pem
If that went well and the OPENSSL utility says that its O.K. then you have a working self-signed certificate.
You have done the following:
Compiled OpenSSL for OpenVMS as outlined in. Compiling OpenSSL for OpenVMS
Installed the OpenSSL files as outlined in, Installing OpenSSL for OpenVMS
Configured the necessary files as outlined in. Configuring files for generating your own SSL certificates.
And executed the OPENSSL_STARTUP.COM file.
and you want to generate a SSL certificate request to send to a CA.
Here are the steps.
Execute the SSLROOT:[VMS]OPENSSL_UTILS.COM file to define the symbol for the OPENSSL utility.
$ @SSLROOT:[VMS]OPENSSL_UTILS.COM
Go to your SSLROOT:[000000] directory.
$ SET DEFAULT SSLROOT:[000000]
Now, generate a certificate request using the OPENSSL utility.
$ OPENSSL
OpenSSL> req -config openssl.cnf -nodes -new -days 365
-keyout newreq_key.pem -out newreq.pem
Here's a description of what the parameters mean.
-config Which configuration file to use.
-nodes Don't DES encode the output key.
(This is only necessary if the certificate
is going to be use with the OpenVMS OSU
HTTPD server or a application that don't
allow key passwords to be specified.)
-new This is a new certificate request.
-days The number of days the x509 certificate
is good for.
-keyout File to output the key to.
-out File to output the certificate request to.
The program will ask you some questions and just answer them. You have to make sure that when the OPENSSL program asks you.
Common Name (eg, YOUR name) []:
that if you intend to use this on a WEB server to use the servers host name. So if the server will be referenced in DNS tables as "www.buttnet.net" that you enter that here. This also applies to CNAME DNS entries referencing your WWW server. If the "offical" DNS host name of your server is "beavis.buttnet.net" and you have a CNAME DNS entry of "www.buttnet.net" and you are going to use "www.buttnet.net" for your server, you need to enter "www.buttnet.net" here.
Now, having said that, some CA's may have you use your real DNS host name here. If in doubt check with the CA as to what they expect you to enter here.
You will also see where it will ask you to enter "extra" attributes.
Unless the CA you are sending the request to tells you to, just leave
these blank and just press
If that went well exit the OPENSSL program. You should have two files, the key file and the certificate file.
Send the ceritficate file to the CA and hold the key file in a safe place.
When you get your signed certificate back from the CA, you will have to append your key (the one you generated with the certificate request) to the end of the signed certificate.
$ APPEND NEWREQ_KEY.PEM <certificate the CA signed>
You have done the following:
Compiled OpenSSL for OpenVMS as outlined in. Compiling OpenSSL for OpenVMS
Installed the OpenSSL files as outlined in, Installing OpenSSL for OpenVMS
Configured the necessary files as outlined in. Configuring files for generating your own SSL certificates.
And executed the OPENSSL_STARTUP.COM file.
and you want to generate your very own CA certificate to sign certificate requests.
Here are the steps.
Execute the SSLROOT:[VMS]OPENSSL_UTILS.COM file to define the symbol for the OPENSSL utility.
$ @SSLROOT:[VMS]OPENSSL_UTILS.COM
Go to your SSLROOT:[000000] directory.
$ SET DEFAULT SSLROOT:[000000]
Now, generate a certificate request using the OPENSSL utility.
$ OPENSSL
OpenSSL> req -config openssl.cnf -new -x509 -days 1825
-keyout [.private]cakey.pem -out cacert.pem
Here's a description of what the parameters mean.
-config Which configuration file to use.
-new This is a new certificate request.
-x509 Output a X509 certificate instead of a
regular certificate request.
-days The number of days the the x509 generated
certificate is good for.
-keyout File to output the key to.
-out File to output the certificate to.
You will notice that the number of days the CA certificate is good for as set by the "-days" qualifier is pretty large (five years in fact). This is because some browsers complain if the CA certificate is not valid for a period longer than the certificate request you are signing. So if you generate a CA certificate good only for a year and you are signing a certificate request also good for one year, some browsers will complain. So it's good to have a CA certificate with a long lifetime to keep browsers happy.
The OPENSSL program will ask you to enter a PEM password. This is to encrypt the CA key so that only YOU or someone that knows the password can sign certificates. SO KEEP YOUR PASSWORD SAFE!
The program will ask you some questions and just answer them. You have to make sure that when the OPENSSL program asks you.
Common Name (eg, YOUR name) []:
that you use YOUR name or something like "CA Authority" and NOT your SERVER name like "beavis.buttnet.net".
If all went well, you should have the file CACERT.PEM in your SSLROOT:[000000] directory and the CAKEY.PEM file in the SSLROOT:[PRIVATE] or SSLPRIVATE: directory.
You might want to protect the SSLROOT:[PRIVATE] directory to prevent others from accessing your CA key.
Now use the OPENSSL utility to "verify" the certificate.
$ OPENSSL
OpenSSL> verify cacert.pem
If that went well and the OPENSSL utility says that its O.K. then you have a CA certificate.
Now, if you plan to sign certificates with your new CA certificate, you need to make your CA certificate available to the public. So first, you need to convert your PEM formatted certificate into DER format using the following.
$ OPENSSL
OpenSSL> x509 -inform pem -in yourcacert.pem
-outform der -out yourcacert.der
Check the suffixes table or "mime type" table for your WEB server and look for the following definition.
application/x-x509-ca-cert pem BINARY 1.0
If the definition is not there, put it there and restart your WEB server.
Place your CA certificate in a directory where people can access it and make a link to it in a WEB page so people can find it.
If all went well, when you click on the link for your CA certificate and your browser should ask you if you want to load and save it and go through the process of installing it.
Some browsers (i.e. Microsoft Internet Explorer) might want to save the certificate to the hard disk instead of installing it. When it asks you what you want to do select "Open this file from it's current location" and Internet Explorer will install it into the certificate database.
You have done the following:
Compiled OpenSSL for OpenVMS as outlined in. Compiling OpenSSL for OpenVMS
Installed the OpenSSL files as outlined in, Installing OpenSSL for OpenVMS
Configured the necessary files as outlined in. Configuring files for generating your own SSL certificates.
Generated a CA certificate as outlined in. Creating your own CA certificate
And executed the OPENSSL_STARTUP.COM file.
and you want to sign certificate requests.
Here are the steps.
Execute the SSLROOT:[VMS]OPENSSL_UTILS.COM file to define the symbol for the OPENSSL utility.
$ @SSLROOT:[VMS]OPEN_UTILS.COM
Take the certificate request file (we'll assume it is called NEWREQ.PEM for this example) and put it in your SSLROOT:[000000] directory.
Go to your SSLROOT:[000000] directory.
$ SET DEFAULT SSLROOT:[000000]
Execute the OPENSSL program with the following options to sign the certificate request.
$ OPENSSL
OpenSSL> ca -config openssl.cnf -policy policy_anything
-out sslcerts:signed_newreq.pem -infiles newreq.pem
Here's a description of what the parameters mean.
-config Which configuration file to use.
-policy Which "policy" in the configuration
file to use.
-out File to output the signed certificate
to.
-infiles The file containing the certificate
request we are going to sign.
The OPENSSL program will ask you to enter the PEM password. This is the password you entered when you created the CA key to encode it so that only you can access it.
You will then be shown the information about the certificate. If it looks good to you (and you know the source, etc.) then you will be asked if you want to sign the certificate.
The program will then tell you that the certificate request was certified and if you want to commit it.
If that went well, the signed certificate file SIGNED_NEWREQ.PEM should be placed in the SSLCERTS: or SSLROOT:[CERTS] directory.
Now use the OPENSSL utility to "verify" the signed certificate.
$ OPENSSL
OpenSSL> verify "-CApath" sslroot:[000000]
"-CAfile" cacert.pem SSLCERTS:signed_newreq.pem
If that went well and the OPENSSL utility says that its O.K. then you have sucessfully signed the certificate request and you can send the SSLCERTS:SIGNED_NEWREQ.PEM to the user.
