Kbase 19167: Steps to create SSL certificates and keys for Apptivity
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
10/1/1999 |
|
Steps to create SSL certificates and keys for Apptivity
Steps to create SSL certificates and keys for Apptivity
This document applies to: Apptivity
Version and Release Number: 3.1
Apptivity bundles a version of the ssleay program (located in
install_dir/bin) that is available with Eric Young's SSLeay 0.8.1
package. You can use the two command-line utilities, ssleay and
keyenc, to create key pairs, certificates, and to
encrypt private keys. Creating a Key Pair and the Certificate
Signing Request a Self-signed CA Certificate and sign certificates
using this self-signed certificate as Encrypting Private Keys
may become a quit not transparent process since it contains a lot
of error capabilities resulting in failing keys.
Together with an as working tested example of an
ssleay configuration file (ssleay.cnf) below is a history made when
creating that keys using that ssleay.cnf located in the current
working directory, where the actions took place. Before continuing
you should have read the chapter SSLeay Utilities inside the
Apptivity Update Booklet. The example contains the screen captures
made at the time of creating the in the Apptivity application
working fine certificates and keys.
D:\certest>echo 1233>.rand
D:\certest>ssleay req -config ssleay.cnf -out CAcert.pem
-new -x509 -keyout cakey.pem
Using configuration from ssleay.cnf
Loading 'screen' into random state - done
unable to load 'random state'
What this means is that the random number generator
has not been seeded
with much random data.
Consider setting the RANDFILE environment variable to
point at a file that
'random' data can be kept in.
Generating a 512 bit RSA private key
......+++++
.+++++
writing new private key to 'cakey.pem'
Enter PEM pass phrase:test
Verifying password - Enter PEM pass phrase:test
-----
You are about to be asked to enter information that will
be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:US
State or Province Name (full name) []:Massachusetts
Locality Name (eg, city) []:Boston
Organization Name (eg, company) []:Progress
Organizational Unit Name (eg, section) []:EU
Common Name (eg, YOUR name) []:Reinhard
Email Address []:test@progress.com
D:\certest>
D:\certest>ssleay req -config ssleay.cnf -out
cert.pem -new -keyout unenckey.pem -nodes
Using configuration from ssleay.cnf
Loading 'screen' into random state - done
Generating a 512 bit RSA private key
.+++++
.......+++++
writing new private key to 'unenckey.pem'
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:US
State or Province Name (full name) []:Massachusetts
Locality Name (eg, city) []:Boston
Organization Name (eg, company) []:Progress
Organizational Unit Name (eg, section) []:EU
Common Name (eg, YOUR name) []:Reinhard
Email Address []:test@progress.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
D:\certest>echo 1001>serial
D:\certest>echo off>index.txt
echo on
D:\certest>ssleay ca -config ssleay.cnf -in cert.
pem -out rwecert.pem
Using configuration from ssleay.cnf
Enter PEM pass phrase:
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'Massachusetts'
localityName :PRINTABLE:'Boston'
organizationName :PRINTABLE:'Progress'
organizationalUnitName:PRINTABLE:'EU'
commonName :PRINTABLE:'Reinhard'
emailAddress :IA5STRING:'test@progress.com'
Certificate is to be certified until Sep 28 09:49:51 2009 GMT
(3650 days)
Sign the certificate? [y
]:y
1 out of 1 certificate requests certified, commit? [y
]y
Write out database with 1 new entries
Data Base Updated
D:\sslcerts\keyenc unenckey.pem key.pem "test"
D:\certest>java IE.Iona.OrbixWeb.SSL.PEMKeyEncrypt
unenckey.pem key.pem "test"
The usable keys created are:
CAcert.pem
rwecert.pem
key.pem
There the contents of the used ssleay.cnf file. Important to
attend that the lines:
certificate = $dir/CAcert.pem
and
private_key = $dir/cakey.pem
fit:
# SSLeay example configuration file.
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = .
certs = $dir
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir
certificate = $dir/CAcert.pem
serial = $dir/serial
crl = $dir/crl.pem
private_key = $dir/cakey.pem
RANDFILE = $dir/.rand
default_days = 3650
default_crl_days= 300
default_md = md5
preserve = no
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
default_bits = 512
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 40
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 0
challengePassword_max = 20
unstructuredName = An optional company name
#end of SSLeay example configuration file.
References To Written Documentation or Other
KnowledgeBase Documents:
Apptivity Update Booklet
KB-19164 Apptivity Client Authentication with SSL
using certificates