HP Open Source Security for OpenVMS Volume 2:...

Using the Certificate Tool

View a Certificate Request File

Create a Self-Signed Certificate

Create a Certificate Signing Request 

• Server certificate request
  
  Prepares a certificate file to be signed by a trusted (root) CA to authenticate your server. You are the subject of the certificate, and the CA you send it to will be the certificate issuer. For example, if you wanted to get a Thawte Server ID, you would create a certificate request and mail the contents of this generated file to Thawte. The file you generate is a *.CSR file.



• Client certificate request
  
  Prepares client certificate files that are loaded in the SSL client application, such as a web browser. The client is the subject of the certificate and you are the certificate issuer.

To create a certificate request, perform the following steps.

1. Enter the information required for the certificate. You must complete all fields to create a valid certificate request. The certificate request is generated after you respond to the last question.
   • Encrypt Private Key
     
     Using an encrypted private key forces the passphrase dialog when loading the private key.

     ---

     Do not use this option if you are using the mod_ssl directive SSLPassPhraseDialog with the default built-in option.

     ---

   
   
   
   • Encryption Bits
     
     The largest recommended size is 1024 bits. Encryption strength is often described in terms of the size of the keys used to perform the encryption; in general, longer keys provide stronger encryption but require more computing time. Key length is measured in bits. Private key sizes larger than 1024 bits are incompatible with some versions of Netscape Navigator and Microsoft Internet Explorer.
   
   
   
   • Certificate Key File
     
     Use OpenVMS syntax (defaults to SSL$KEY:SERVER.KEY).
   
   
   
   • Certificate Request File
     
     Use OpenVMS syntax (defaults to SSL$CSR:SERVER.CSR).
   The remaining questions determine your server's distinguished name.
   • Country Name
   
   
   
   • State or Province Name
   
   
   
   • City Name
   
   
   
   • Organization Name
   
   
   
   • Organization Unit Name
   
   
   
   • Common Name
     
     Common name usage is different for client certificates than it is for server certificates. Generally, the common name on a client certificate is the proper name of the individual requesting a certificate. In the case of server certificates, the common name must be the same as your server's DNS host name (or virtual host name, if name-based virtual hosting is used). Browsers compare the common name in the server certificate with the host name of the server to which they are connecting; these names must match.
   
   
   
   • Email Address
   
   
   
   • Display the Certificate
2. View the details of the certificate request (if you chose to display the certificate).
   • Subject
   
   
   
   • Public key information
   
   
   
   • Signature algorithm

To see the encoded contents, exit the certificate tool and enter the following command to view the CSR file.

$ TYPE SSL$ROOT:[CERTS]SERVER.CSR

What you see is exactly what is required by the certificate authority. You might be required to send the file itself or just the contents of the file to your CA (according to the CA's instructions). For example:

-----BEGIN CERTIFICATE REQUEST-----
MIIB/TCCAWYCAQAwgbwxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1OZXcgSGFtcHNo
aXJlMQ8wDQYDVQQHEwZOYXNodWExHjAcBgNVBAoTFUNvbXBhcSBDb21wdXRlciBD 
b3JwLjEcMBoGA1UECxMTT3BlblZNUyBFbmdpbmVlcmluZzEaMBgGA1UEAxMRRkxJ 
UDMuWktPLkRFQy5DT00xKjAoBgkqhkiG9w0BCQEWG3dlYm1hc3RlckBGTElQMy5a 
S08uREVDLkNPTTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0/y8RxuE/COy 
nVpeK00GgvbgFWxX1o89ULQTMVUSwmAzhdzbi3DZL5s85YRGdPVgYW2rWs1t2SQg 
jMSlFTxta/CwW6Vwwn9GmdaJwkqGFxnpw2LmugexLfj+4t97AZyIR2O7gJxCINS5 
CWg3tcn1ZUmqswjkrG8WehUN+2C6IBcCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GB 
ABzgiiojPAcojLXGI2OFxJ5apORAHHHAyc0YCuhFXS1Rs2BIXHmM5xQuxk8yitc4 
yViQfHhGDzpDmOwMKkK7t09UjQh9humKEUlAnS4VYLL4VlgenwLybcLLB0Q3aiQN 
UjQw9RrXNWWZYVDenvrOwtbK9dFefb4PlZIAS2/Z4jLP
-----END CERTIFICATE REQUEST-----

If you are sending only the contents, copy and paste everything and send to the CA using secure email or the appropriate enrollment form. The CA will return a digitally signed certificate to you. For example:

-----BEGIN CERTIFICATE-----
MIICeDCCAiICEEdpjxOzmJPyh5TiG8BRA70wDQYJKoZIhvcNAQEEBQAwgakxFjAU 
BgNVBAoTDVZlcmlTaWduLCBJbmMxRzBFBgNVBAsTPnd3dy52ZXJpc2lnbi5jb20v 
cmVwb3NpdG9yeS9UZXN0Q1BTIEluY29ycC4gQnkgUmVmLiBMaWFiLiBMVEQuMUYw 
RAYDVQQLEz1Gb3IgVmVyaVNpZ24gYXV0aG9yaXplZCB0ZXN0aW5nIG9ubHkuIE5v 
IGFzc3VyYW5jZXMgKEMpVlMxOTk3MB4XDTAwMDcwNzAwMDAwMFoXDTAwMDcyMTIz
 
NTk1OVowgZAxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1OZXcgSGFtcHNoaXJlMQ8w 
DQYDVQQHFAZOYXNodWExHjAcBgNVBAoUFUNvbXBhcSBDb21wdXRlciBDb3JwLjEc 
MBoGA1UECxQTT3BlblZNUyBFbmdpbmVlcmluZzEaMBgGA1UEAxQRRkxJUDMuWktP 
LkRFQy5DT00wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANP8vEcbhPwjsp1a 
XitNBoL24BVsV9aPPVC0EzFVEsJgM4Xc24tw2S+bPOWERnT1YGFtq1rNbdkkIIzE 
pRU8bWvwsFulcMJ/RpnWicJKhhcZ6cNi5roHsS34/uLfewGciEdju4CcQiDUuQlo 
N7XJ9WVJqrMI5KxvFnoVDftguiAXAgMBAAEwDQYJKoZIhvcNAQEEBQADQQAySLLe 
U7nMLJ+QkRld6iqKjU2VotphPvgWMGsJ+TKqUI4MXaAv0zQxtBni1N8s0LXVNCuJ
lEzBYjSbgbgEhJJA
-----END CERTIFICATE-----

The CA-signed certificate contains the following information:

• Your organization's common name (www.your-server )



• Additional identifying information (IP and physical address)



• Your public key



• Expiration date of the public key



• Name of the CA that issued the ID



• A unique serial number. (Every certificate issued by a CA has a serial number that is unique to the certificates issued by that CA.)



• CA's digital signature

Installing Certificates 

A signed certificate needs to be installed, along with the key you generated when creating the request, by saving or copying the respective files to their correct directories and restarting the application.

The following example shows a certificate and key copied to the directory of a web server.

$ COPY SSL$CERTS:SERVER.CRT APACHE$SPECIFIC:[CONF.SSL_CRT]

$ COPY SSL$KEY:SERVER.KEY APACHE$SPECIFIC:[CONF.SSL_KEY]

View a Certificate Request File

Create a Self-Signed Certificate