[Previous] [Next] [Table of Contents]
  ------------------------------------------------------------------------

3.1 Configuring file for generating your own SSL certificates.

You have done the following:

   * Compiled OpenSSL for OpenVMS as outlined in. Compiling OpenSSL for
     OpenVMS

   * Installed the OpenSSL files as outlined in, Installing OpenSSL for
     OpenVMS

   * And executed the OPENSSL_STARTUP.COM file.

and now you want to generate SSL certificates.

Here's what you have to do.

  1. Go to the directory where you told the OpenSSL INSTALL.COM script to
     put your OpenSSL files. The simplest way to do this is to go to the
     SSLROOT: directory which is the "root" directory of your installed
     OpenSSL kit.

             $ SET DEFAULT SSLROOT:[000000]


  2. Create the directories of CRL and NEWCERTS.

             $ CREATE/DIRECTORY [.CRL]
             $ CREATE/DIRECTORY [.NEWCERTS]


  3. Create a file in the [.PRIVATE] directory called RANDFILE.; that will
     contain a few hundred bytes of random data that will be used to prime
     the random number generators in the encrypton libraries. The easiest
     way is to just do a SHOW SYSTEM/FULL into a file.

             $ SHOW SYSTEM/FULL/OUTPUT=SSLROOT:[PRIVATE]RANDFILE.;


  4. Define the logical RANDFILE to point to where the RANDIFLE.; file is
     kept.

             $ DEFINE/SYSTEM/EXEC RANDFILE SSLROOT:[PRIVATE]RANDFILE.;


  5. Create the file INDEX.TXT with nothing in it and place it in the
     SSLROOT:[000000] directory.

  6. Create the file SERIAL.; with a just "01" in it and place it in the
     SSLROOT:[000000] directory.

  7. Edit the OPENSSL.CNF file and modify the line.

             dir     = sys\$disk:[.demoCA    #Where everything is kept


     to point to SSLROOT:[000000] directory tree like this.

             dir     = SSLROOT:[000000       #Where everything is kept


     Also modify the line for the RANDFILE.;.

             RANDFILE = $dir.private].rand   # private random number file


     to look like...

             RANDFILE = $dir.private]RANDFILE.;      # private random number file


     and just completely remove the line.

             RANDFILE        = $ENV::HOME/.rnd


     at the top of the file.

     You will also have to find the following lines...

             # This is OK for an SSL server.
             # nsCertType                    = server


     and modify it to look like....

             # This is OK for an SSL server.
             nsCertType                      = server


     and also the following lines...

             # Some might want this also
             # nsCertType = sslCA, emailCA


     to look like...

             # Some might want this also
             nsCertType = server


  8. You might also want to look through this file to customize other
     settings like the default_bits for key generation.

  ------------------------------------------------------------------------

3.2 Creating your own self-signed SSL certificate.

You have done the following:

   * Compiled OpenSSL for OpenVMS as outlined in. Compiling OpenSSL for
     OpenVMS

   * Installed the OpenSSL files as outlined in, Installing OpenSSL for
     OpenVMS

   * Configured the necessary files as outlined in. Configuring files for
     generating your own SSL certificates.

   * And executed the OPENSSL_STARTUP.COM file.

and you want to generate your own self-signed SSL certificate.

Here are the steps.

  1. Execute the SSLROOT:[VMS]OPENSSL_UTILS.COM file to define the symbol
     for the OPENSSL utility.

             $ @SSLROOT:[VMS]OPENSSL_UTILS.COM


  2. Go to your SSLROOT:[000000] directory.

             $ SET DEFAULT SSLROOT:[000000]


  3. Now, generate a certificate request using the OPENSSL utility.

          $ OPENSSL
          OpenSSL> req -config openssl.cnf -nodes -new -days 365 -x509
                -keyout test_key.pem -out test.pem


     Here's a description of what the parameters mean.

             -config                 Which configuration file to use.

             -nodes                  Don't DES encode the output key.
                                     (This is only necessary if the certificate
                                      is going to be use with the OpenVMS OSU
                                      HTTPD server or a application that don't
                                      allow key passwords to be specified.)

             -new                    This is a new certificate request.

             -days                   The number of days the x509 certificate
                                     is good for.

             -x509                   Output a X509 certificate instead of a
                                     regular certificate request.

             -keyout                 File to output the key to.

             -out                    File to output the certificate to.


  4. The program will ask you some questions and just answer them. You have
     to make sure that when the OPENSSL program asks you.

             Common Name (eg, YOUR name) []:


     that if you intend to use this on a WEB server to use the internet
     host name that the server resolves to here. So if your server resolves
     to "beavis.buttnet.net" enter that here.

  5. If that went well exit the OPENSSL program. You should have two files,
     the key file and the certificate file. You now need to append the key
     file (the one you generated when you created the certificate) to the
     end of the certificate file.

             $ APPEND TEST_KEY.PEM TEST.PEM


  6. Now use OPENSSL to "verify" the certificate.

             $ OPENSSL
             OpenSSL> verify test.pem


  7. If that went well and the OPENSSL utility says that its O.K. then you
     have a working self-signed certificate.

  ------------------------------------------------------------------------

3.3 Creating SSL certificate request to send to a CA.

You have done the following:

   * Compiled OpenSSL for OpenVMS as outlined in. Compiling OpenSSL for
     OpenVMS

   * Installed the OpenSSL files as outlined in, Installing OpenSSL for
     OpenVMS

   * Configured the necessary files as outlined in. Configuring files for
     generating your own SSL certificates.

   * And executed the OPENSSL_STARTUP.COM file.

and you want to generate a SSL certificate request to send to a CA.

Here are the steps.

  1. Execute the SSLROOT:[VMS]OPENSSL_UTILS.COM file to define the symbol
     for the OPENSSL utility.

             $ @SSLROOT:[VMS]OPENSSL_UTILS.COM


  2. Go to your SSLROOT:[000000] directory.

             $ SET DEFAULT SSLROOT:[000000]


  3. Now, generate a certificate request using the OPENSSL utility.

          $ OPENSSL
          OpenSSL> req -config openssl.cnf -nodes -new -days 365 -keyout
                   -newreq_key.pem -out newreq.pem


     Here's a description of what the parameters mean.

             -config                 Which configuration file to use.

             -nodes                  Don't DES encode the output key.
                                     (This is only necessary if the certificate
                                      is going to be use with the OpenVMS OSU
                                      HTTPD server or a application that don't
                                      allow key passwords to be specified.)

             -new                    This is a new certificate request.

             -days                   The number of days the x509 certificate
                                     is good for.

             -keyout                 File to output the key to.

             -out                    File to output the certificate request to.


  4. The program will ask you some questions and just answer them. You have
     to make sure that when the OPENSSL program asks you.

             Common Name (eg, YOUR name) []:


     that if you intend to use this on a WEB server to use the internet
     host name that the server resolves to here. So if your server resolves
     to "beavis.buttnet.net" enter that here.

     You will also see where it will ask you to enter "extra" attributes.
     Unless the CA you are sending the request to tells you to, just leave
     these blank and just press though them.

  5. If that went well exit the OPENSSL program. You should have two files,
     the key file and the certificate file.

  6. Send the ceritficate file to the CA and hold the key file in a safe
     place.

  7. When you get your signed certificate back from the CA, you will have
     to append your key (the one you generated with the certificate
     request) to the end of the signed certificate.

             $ APPEND NEWREQ_KEY.PEM


  ------------------------------------------------------------------------

3.4 Creating your own CA certificate.

You have done the following:

   * Compiled OpenSSL for OpenVMS as outlined in. Compiling OpenSSL for
     OpenVMS

   * Installed the OpenSSL files as outlined in, Installing OpenSSL for
     OpenVMS

   * Configured the necessary files as outlined in. Configuring files for
     generating your own SSL certificates.

   * And executed the OPENSSL_STARTUP.COM file.

and you want to generate your very own CA certificate to sign certificate
requests.

Here are the steps.

  1. Execute the SSLROOT:[VMS]OPENSSL_UTILS.COM file to define the symbol
     for the OPENSSL utility.

             $ @SSLROOT:[VMS]OPENSSL_UTILS.COM


  2. Go to your SSLROOT:[000000] directory.

             $ SET DEFAULT SSLROOT:[000000]


  3. Now, generate a certificate request using the OPENSSL utility.

          $ OPENSSL
          OpenSSL> req -config openssl.cnf -new -x509 -days 365
                   -keyout [.private]cakey.pem -out cacert.pem


     Here's a description of what the parameters mean.

             -config                 Which configuration file to use.

             -new                    This is a new certificate request.

             -x509                   Output a X509 certificate instead of a
                                     regular certificate request.

             -days                   The number of days the the x509 generated
                                     certificate is good for.

             -keyout                 File to output the key to.

             -out                    File to output the certificate to.


  4. The OPENSSL program will ask you to enter a PEM password. This is to
     encrypt the CA key so that only YOU or someone that knows the password
     can sign certificates. SO KEEP YOUR PASSWORD SAFE!

  5. The program will ask you some questions and just answer them. You have
     to make sure that when the OPENSSL program asks you.

             Common Name (eg, YOUR name) []:


     that you use YOUR name or something like "CA Authority" and NOT your
     SERVER name like "beavis.buttnet.net".

  6. If all went well, you should have the file CACERT.PEM in your
     SSLROOT:[000000] directory and the CAKEY.PEM file in the
     SSLROOT:[PRIVATE] or SSLPRIVATE: directory.

     You might want to protect the SSLROOT:[PRIVATE] directory to prevent
     others from accessing your CA key.

  7. Now use the OPENSSL utility to "verify" the certificate.

             $ OPENSSL
             OpenSSL> verify cacert.pem


  8. If that went well and the OPENSSL utility says that its O.K. then you
     have a CA certificate.

  9. Now, if you plan to sign certificates with your new CA certificate,
     you need to make your CA certificate available to the public. So
     first, you need to convert your PEM formatted certificate into DER
     format using the following.

             $ OPENSSL
             OpenSSL> x509 -inform pem -in yourcacert.pem
                      -outform der -out yourcacert.der


 10. Check the suffixes table or "mime type" table for your WEB server and
     look for the following definition.

             application/x-x509-ca-cert der BINARY 1.0


     If the definition is not there, put it there and restart your WEB
     server.

 11. Place your DER formatted CA certificate in a directory where people
     can access it and make a link to it in a WEB page so people can find
     it.

 12. If all went well, when you click on the link for your DER CA
     certificate your browser should ask you if you want to load and save
     it and go through the process of installing it.

  ------------------------------------------------------------------------

3.5 Signing SSL certificate requests with your CA certificate.

You have done the following:

   * Compiled OpenSSL for OpenVMS as outlined in. Compiling OpenSSL for
     OpenVMS

   * Installed the OpenSSL files as outlined in, Installing OpenSSL for
     OpenVMS

   * Configured the necessary files as outlined in. Configuring files for
     generating your own SSL certificates.

   * Generated a CA certificate as outlined in. Creating your own CA
     certificate

   * And executed the OPENSSL_STARTUP.COM file.

and you want to sign certificate requests.

Here are the steps.

  1. Execute the SSLROOT:[VMS]OPENSSL_UTILS.COM file to define the symbol
     for the OPENSSL utility.

             $ @SSLROOT:[VMS]OPEN_UTILS.COM


  2. Take the certificate request file (we'll assume it is called
     NEWREQ.PEM for this example) and put it in your SSLROOT:[000000]
     directory.

  3. Go to your SSLROOT:[000000] directory.

             $ SET DEFAULT SSLROOT:[000000]


  4. Execute the OPENSSL program with the following options to sign the
     certificate request.

             $ OPENSSL
             OpenSSL> ca -config openssl.cnf -policy policy_anything
                      -out sslcerts:signed_newreq.pem -infiles newreq.pem


     Here's a description of what the parameters mean.

             -config                 Which configuration file to use.

             -policy                 Which "policy" in the configuration
                                     file to use.

             -out                    File to output the signed certificate
                                     to.

             -infiles                The file containing the certificate
                                     request we are going to sign.


  5. The OPENSSL program will ask you to enter the PEM password. This is
     the password you entered when you created the CA key to encode it so
     that only you can access it.

  6. You will then be shown the information about the certificate. If it
     looks good to you (and you know the source, etc.) then you will be
     asked if you want to sign the certificate.

  7. The program will then tell you that the certificate request was
     certified and if you want to commit it.

  8. If that went well, the signed certificate file SIGNED_NEWREQ.PEM
     should be placed in the SSLCERTS: or SSLROOT:[CERTS] directory.

  9. Now use the OPENSSL utility to "verify" the signed certificate.

             $ OPENSSL
             OpenSSL> verify "-CApath" sslroot:[000000]
                             "-CAfile" cacert.pem SSLCERTS:signed_newreq.pem


 10. If that went well and the OPENSSL utility says that its O.K. then you
     have sucessfully signed the certificate request and you can send the
     SSLCERTS:SIGNED_NEWREQ.PEM to the user.

  ------------------------------------------------------------------------
[Previous] [Next] [Table of Contents]
[Image]  [Image]
