Kbase P150008: How to implement self signed SSL certificate between WebSpeed messenger or 4GL/ABL client and the We
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
16/03/2011 |
|
Status: Verified
GOAL:
How to implement self signed SSL certificate between WebSpeed messenger or 4GL/ABL client and the WebSpeed/AppServer broker using OpenSSL
GOAL:
How to implement self signed SSL certificate between WebSpeed messenger and the WebSpeed broker using OpenSSL
GOAL:
How to implement self signed SSL certificate between ABL client and the AppServer broker using OpenSSL
GOAL:
How to implement self signed SSL certificate between 4GL client and the AppServer broker using OpenSSL
GOAL:
How to implement self signed SSL certificate between remote WebSpeed messenger and the WebSpeed broker using OpenSSL
GOAL:
How to sign your own certificate using OpenSSL
GOAL:
How to implement root CA using OpenSSL
FACT(s) (Environment):
All Supported Operating Systems
OpenEdge 10.x
WebSpeed
FIX:
The following steps are demonstrate on the Windows operating system with OE10.2A for the process of creating and signing a Certificate with OpenSSL:
1. Download OpenSSL tools from http://www.shininglightpro.com/products/Win32OpenSSL.html .
Visual C++2008 Redistributables may also be required but can be downloaded from the same site and later installed before install OpenSSL lite is installed.
The version number may vary for Visual C++ Redistributables depending on the OpenSSL version.
2. After OpenSSL is installed, add the OpenSSL installation "directory\bin" to the windows system path environment variable. By default, the installation of OpenSSL is on C:\openSSL; therefore, the following would need to be added to the system path:
C:\OpenSSL\bin
3. Start a DOS prompt (Start > Run > cmd and press enter)
4. On the DOS C:\> use the following commands to create all the folders and required files:
o md myssl
o cd myssl
o md keys
o md requests
o md certs
o md demoCA
o cd demoCA
o md newcerts
o copy con serial
01
^Z (ctrl + Z)
Press enter on the keyboard
o copy con index.txt
^Z (ctrl + Z)
Press enter on the keyboard
o cd ..
At this point the current working directory should be the C:\myssl
5. Setup a Certificate Authority (CA):
5a. Create a 512-bit or 1024-bit or 2048-bit private key to use when creating CA by running pkiutil utility supplied by Progress/OpenEdge on the proenv prompt (Start > Programs (All Programs) > OpenEdge > proenv. The default keysize is 1024-bit.
Example:
proenv>pkiutil -keysize 2048 -newreq demoSSL
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
..+++
......................+++
writing new private key to 'C:\Progress\OE\102a\dlc/keys/requests/demoSSL.pk1'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
----
The pkutil utility will issue a prompt asking for specific information that will be incorporated into the certificate request.
The first piece of information is called a Distinguished Name or a DN.
There are quite a few fields but some can be left blank
For some fields there will be a default value,
If a single period '.' is entered on these fields the field will be left blank.
Example:
-----
Country Name (2 letter code) [US]:US
State or Province Name (full name) []:Massachusetts
Locality Name (eg, city) []:Bedford
Organization Name (eg, company) []:Progress Software
Organizational Unit Name (eg, section) []:Technical Support
Server DNS name []:myserver.bedford.progress.com
A file with a .pk10 extension will be created.
For this example the C:\Progress\OE\102a\dlc/keys/requests/demoSSL.pk10 file was created.
This file will be used to request a new Digital Certificate from a CA Certificate Authority.
After the Digital Certificate is received from the .CA the pkutil tool will again be used with the -import option to insert the certificate into the keystore .
5b. Take a note of the pass phrase as it will be required in the future steps
5c. Copy the demoSSL.pk10 to C:\myssl\requests folder
5d. Copy the demoSSL.pk1 to C:\myssl\keys folder
6. Create a master or root certificate based on the demoSSL.pk1 to be used when signing other certificates using openSSL
Example:
C:\myssl>openssl req -new -x509 -days 1001 -key keys/demoSSL.pk1 -out certs/rootCA.cer
Enter pass phrase for keys/demoSSL.pk1:
Loading 'screen' into random state - done
The pkutil will issue a prompt to enter information that will be incorporated into the certificate request.
The first piece of information is called a Distinguished Name or a DN.
There are quite a few fields but some can be left blank
For some fields there will be a default value,
If a single period '.' is entered on these fields the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Massachusetts
Locality Name (eg, city) []:Bedford
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Progress Software
Organizational Unit Name (eg, section) []:Technical Support
Common Name (eg, YOUR name) []:Muhammad Akbar
Email Address []:makbar@progress.com
7. Sign the Certificate request:
Example:
C:\myssl>openssl ca -cert certs/rootCA.cer -in requests/demoSSL.pk10 -keyfile keys/demoSSL.pk1 -days 365 -out certs/demoSSL.cer
Using configuration from C:\OpenSSL\bin\openssl.cfg
Loading 'screen' into random state - done
Enter pass phrase for keys/demoSSL.pk1:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 22 18:52:14 2009 GMT
Not After : Jul 22 18:52:14 2010 GMT
Subject:
countryName = US
stateOrProvinceName = Massachusetts
organizationName = Progress Software
organizationalUnitName = Technical Support
commonName = myserver.bedford.progress.com