HP Open Source Security for OpenVMS Volume 2: HP SSL for OpenVMS > Chapter 5 Example Programs

Template for Creating Certificates and Keys for the Example Programs

 » Table of Contents

 » Index

The command procedure SSL$EXAMPLES_SETUP.TEMPLATE (located in SYS$COMMON:[SYSHLP.EXAMPLES.SSL]) is a template that sets up the certificate and keys so you can run the example programs included with HP SSL. SSL$EXAMPLES_SETUP.TEMPLATE does the following:

  • Creates a Certificate Authority (CA) certificate

  • Creates server and client certificate requests

  • The CA signs the two certificate requests

  • Creates server and client certificates

To execute this command procedure, be sure that SSL$STARTUP.COM and SSL$UTILS.COM have been run, then remove the comment characters from the commands.

The following program listing shows SSL$EXAMPLES_SETUP.TEMPLATE.

$!
$! SSL$EXAMPLES_SETUP.COM --
$!
$! This command procedure is actually a template that will show
$! the commands necessary to create certificates and keys for the example
$! programs.
$!
$! Also included in this file are the necessary options to enter into the
$! SSL$CERT_TOOL.COM to create the necessary certificates and keys to the
$! example programs. The SSL$CERT_TOOL.COM is found in SSL$COM. See the
$! documenation for more information about the SSL$CERT_TOOL.COM.
$!
$! 1. Create CA certificate - option 5 in SSL$CERT_TOOL.COM.
$! This will create a key in one file, named SSL$KEY:SERVER_CA.KEY
$! by default, and a certificate in another file, named
$! SSL$CERT:SERVER_CA.CRT by default.
$!
$! 2. Make 2 copies of CA certificate created in step #1.
$! One should be called server_ca.crt and the other called
$! client_ca.crt as these are the filenames defined in the
$! example programs. You will have to exit the SSL$CERT_TOOL.COM
$! procedure to do this operation from the DCL command line.
$! For example:
$! $ COPY SSL$KEY:SERVER_CA.KEY SSL$KEY:CLIENT_CA.KEY
$! $ COPY SSL$CERT:SERVER_CA.CRT SSL$CERT:CLIENT_CA.CRT
$!
$! 3. Create a server certificate signing request - option 3 in SSL$CERT_TOOL.COM.
$! The Common Name should be the TCP/IP hostname of the server system.
$! The default name of the request is SERVER.CSR. The corresponding private
$! key is named SERVER.KEY.
$!
$! 4. Sign server certificate signing request - option 6 in SSL$CERT_TOOL.COM
$! Use the CA certificate, SERVER_CA.CRT, created in step #1 to sign the request
$! created in step #3. This will create a certificate file, which should be
$! named SERVER.CRT. This is the name as it is defined in example programs.
$!
$! 5. Create a client certificate signing request - option 3 in SSL$CERT_TOOL.COM.
$!
$! 6. Sign client certificate signing request - option 6 in SSL$CERT_TOOL.COM
$! Use the CA certificate, CLIENT_CA.CRT, created in step #1 to sign the request
$! created in step #5. This will create a certificate file, which should be
$! named CLIENT.CRT. This is the name as it is defined in example programs.
$!
$! 7. These certificates and keys should reside in the same directory as
$! the example programs.
$!
$!
$!
$!
$! The commands have been changed to use generic data as
$! input. To use these commands, one will have to substitute
$! the generic data with data specific to their site.
$! For example, yourcountry could be change to US. It is
$! assumed that the SSL startup file, SYS$STARTUP:SSL$STARTUP.COM,
$! and the SSL$COM:SSL$UTILS.COM procedures have been executed.
$!
$!
$! Check to make sure SSL has been started, so
$! we can use the logicals that it defines.
$!
$! $ if f$trnlnm(“SSL$ROOT”) .eqs. ““
$! $ then
$! $ write sys$output “SSL needs to be started. Execute SYS$STARTUP:SSL$STARTUP,”
$! $ write sys$output “then try this procedure again.”
$! $ endif
$!
$! Check to make sure SSL$UTILS has been executed, so
$! we can use the foreign commands that it sets up.
$!
$! $ if f$type(OPENSSL) .eqs. ““
$! $ then
$! $ @SSL$COM:SSL$UTILS
$! $ endif
$!
$! Check to make sure the SERIAL and INDEX files exist.
$! If they don’t, create them.
$!
$! $ if f$search (“SSL$ROOT:[DEMOCA]SERIAL.TXT”) .eqs. ““
$! $ then
$! $ CREATE SSL$ROOT:[DEMOCA]SERIAL.TXT
$! 01
$! $ endif
$!
$! $ if f$search (“SSL$ROOT:[DEMOCA]INDEX.TXT”) .eqs. ““
$! $ then
$! $ CREATE SSL$ROOT:[DEMOCA]INDEX.TXT
$! $ endif
$!
$! Create the CA certificate.
$!
$! $ define/user sys$command sys$input
$! $ openssl req -config ssl$root:[000000]openssl-vms.cnf -new -x509 -days 1825 -
$! -keyout ssl$key:server_ca.key -out ssl$certs:server_ca.crt
$! yourpassword
$! yourpassword
$! yourcountry
$! yourstate
$! yourcity
$! yourcompany
$! yourdepartment
$! your Certificate Authority certificate $! firstname.lastname@yourcompany.com
$!
$! Copy the server_ca.* to client_ca.* so that the CA can $! be loaded on each side.
$!
$! $ copy ssl$key:server_ca.key ssl$key:client_ca.key
$! $ copy ssl$certs:server_ca.crt ssl$certs:client_ca.crt
$!
$! $!
$! $!
$! $! Create the server certificate request.
$! $!
$! $! Note : There is no way to use the value of a
$! $! symbol when you are using the value of
$! $! symbol as input, as we do below. To get
$! $! around, we create a .COM on the fly and
$! $! execute the created .COm file to create
$! $! the server certificate.
$! $!
$! $ hostname = f$trnlnm(“tcpip$inet_host”)
$! $ domain = f$trnlnm(“tcpip$inet_domain”)
$! $ server_name = hostname + “.” + domain $! $!
$! $ open/write s_com create_s_cert.com
$! $!
$! $ write s_com “$!”
$! $ write s_com “$ define/user sys$command sys$input”
$! $ write s_com “$ openssl req -new -nodes -config ssl$root:[000000]openssl-vms.cnf” -
$! + “-keyout ssl$key:server.key -out ssl$certs:server.csr”
$! $ write s_com “yourcountry”
$! $ write s_com “yourstate”
$! $ write s_com “yourcity”
$! $ write s_com “yourcompany”
$! $ write s_com “yourdepartment”
$! $ write s_com “‘’server_name’”
$! $ write s_com “firstname.lastname@yourcompany.com”
$! $ write s_com ““
$! $ write s_com ““
$! $!
$! $ close s_com
$! $ @create_s_cert
$! $ delete create_s_cert.com;
$! $!
$! $!
$! $! Now, sign the server certificate ...
$! $!
$! $ define/user sys$command sys$input
$! $ openssl ca -config ssl$root:[000000]openssl-vms.cnf -cert ssl$certs:server_ca.crt -keyfile ssl$key:server_ca.key -
$! -out ssl$certs:server.crt -infiles ssl$certs:server.csr
$! yourpassword
$! Y
$! Y
$! $!
$! $!
$! $! Create the client certificate request.
$! $!
$! $ define/user sys$command sys$input
$! $ openssl req -new -nodes -config ssl$root:[000000]openssl-vms.cnf -
$! -keyout ssl$key:client.key -out ssl$certs:client.csr
$! yourcountry
$! yourstate
$! yourcity
$! yourcompany
$! yourdepartment
$! yourname
$! firstname.lastname@yourcompany.com
$!
$!
$! $!
$! $!
$! $! Now, sign the client certificate ...
$! $!
$! $ define/user sys$command sys$input
$! $ openssl ca -config ssl$root:[000000]openssl-vms.cnf -cert ssl$certs:client_ca.crt -keyfile ssl$key:client_ca.key -
$! -out ssl$certs:client.crt -infiles ssl$certs:client.csr
$! yourpassword
$! Y
$! Y
$! $!
$! $! Let’s view the CA certificate.
$! $!
$! $ openssl x509 -noout -text -in ssl$certs:server_ca.crt
$! $!
$! $!
$! $! Let’s view the Server Certificate Request.
$! $!
$! $ openssl req -noout -text -in ssl$certs:server.csr
$! $!
$! $! Let’s view the Server Certificate.
$! $!
$! $ openssl x509 -noout -text -in ssl$certs:server.crt
$! $!
$! $! Let’s view the Client Certificate Request.
$! $!
$! $ openssl req -noout -text -in ssl$certs:client.csr
$! $!
$! $! Let’s view the Client Certificate.
$! $!
$! $ openssl x509 -noout -text -in ssl$certs:client.crt
$! $!
$! $!
$! $! Lastly, move the certificates and keys to the directory
$! $! in which you are building/running the examples.
$!
$! $exit