Kbase P90805: How to sign a Progress request .pk10 file using OpenSSL
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
06/10/2005 |
|
Status: Unverified
GOAL:
How to sign a Progress request .pk10 file using OpenSSL
GOAL:
How to create openSSL certificates to use with Progress secure clients ?
FIX:
OpenSSL provides some scripts to make this process easier, follow the next steps to accomplish this task:
1) Create a Local CA using OpenSSL
Change the directory to your SSL installation directory , it is usually under /usr/ssl ,in this directory there is a subdirectory called misc, change into this subdirectory with cd misc and run the following script:
./CA.sh -newca
CA certificate filename (or enter to create) ( hit ENTER )
Making CA certificate ...
Generating a 1024 bit RSA private key
..............++++++
..........................................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase: (type your rootCA pass phrase here)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Massachusetts
Locality Name (eg, city) []:Bedford
Organization Name (eg, company) [Internet Widgits Pty Ltd]:PSC
Organizational Unit Name (eg, section) []:Tech Support
Common Name (eg, YOUR name): Your common name
Email Address []:email@emailserver.com
2) Create a new certificate request
You can do this with the Progress tools in OE 10.0B or use the openSSL scripts to do it.
With Progress:
pkiutil -newreq certreq
Using configuration from %DLC%/keys/policy/pscpki.cnf
Loading 'screen' into random state -Generating a 1024 bit RSA private key
............................................................+++++
...........................................+++++
writing new private key to '%DLC%/keys/requests/certreq.pk1'
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
-----
You will be prompted to enter information to incorporate
into the certificate request.
This information is called a Distinguished Name or a DN.
There are many fields however some can remain blank.
Some fields have default values.
Enter '.', to leave the field blank.
-----
Country Name (2 letter code) [US]:US
State or Province Name (full name) []:Massachusetts
Locality Name (eg, city) []:Bedford
Organization Name (eg, company) []:PSC
Organizational Unit Name (eg, section) []:TechSupport
Server DNS name []:localhost
You may now use the file %DLC%/keys/requests/certreq.pk10 to
request a new Digital Certificate from a CA Certificate
Authority.
After you obtain the new Digital Certificate from the CA
use the -import command to insert the certificate into
the keystore.
With openSSL
./CA.sh -newreq
Generating a 1024 bit RSA private key
........++++++
.......................++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase: (Type pass phrase for your certificate here)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will b.e left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Massachusetts
Locality Name (eg, city) []:Bedford
Organization Name (eg, company) [Internet Widgits Pty Ltd]:PSC
Organizational Unit Name (eg, section) []:TechSupport-Americas
Common Name (eg, YOUR name) []:servername
Email Address []:email@emailserver.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request (and private key) is in newreq.pem
The run the following commands :
3) Sign the certificate request
./CA.sh -sign
Using configuration from /usr/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem: (Type the pass phrase for the rootCA )
Check that the request matches the signature
Signature ok
Certificate Details:
...
...
...
Details of the certificate
...
...
...
-----BEGIN CERTIFICATE-----
certificate goes here
-----END CERTIFICATE-----
This will create a newcert.pem file which can be imported into the Progress cert store directory using the mkhasfile newcert.pem
a hash file will be created under %DLC%\certs and the certificate will be copied there.
Since in most cases you will need to extract the private key of the certificate ,please run this command to get it:
openssl rsa < newreq.pem > newkey.pem
Enter pass phrase: (type the pass phrase of your server certificate here)
writing RSA key
Once you complete these tasks you will have a self signed certificate that can be used with Progress for secure communications..