Your Browser is not longer supported

Please use Google Chrome, Mozilla Firefox or Microsoft Edge to view the page correctly
Loading...

{{viewport.spaceProperty.prod}}

Prozedurablauf

&pagelevel(5)&pagelevel

Nach dem Aufruf verfährt die Prozedur wie folgt:

  1. Das RSA- bzw. DSA-Schlüsselpaar wird mit 2048/1024 Bit Schlüssellänge generiert.

  2. Der X.509-CSR wird generiert. Hierzu werden interaktiv einige Angaben vom Aufrufer erfragt.

  3. Aus dem CSR wird mithilfe der Snakeoil-CA ein Test-Zertifikat generiert.

    Hierzu werden noch weitere Angaben vom Aufrufer erfragt:

    • Gültigkeitsdauer des Test-Zertifikats

    • Version des Zertifikats (X.509v1 oder X.509v3)

    • Bei der Angabe von „3“ (X.509v3) wird der DNS-Name im subjectAltName erfragt. Der DNS-Name ist in der Regel identisch mit „Common Name“ (CN) unter 2).

  4. Das generierte Zertifikat wird im Klartext angezeigt.

Beispiel

Nachfolgend ist der Mitschnitt eines Prozeduraufrufs abgedruckt. Die Benutzereingaben sind dabei durch Fettdruck hervorgehoben.

/CALL-PROCEDURE *LIB($.SYSSPR.TCP-IP-AP.nnn,MAKE.CERT)
SSL Certificate Generation Utility
Copyright (c) [...] Fujitsu Technology Solutions, All Rights Reserved

Generating test certificate signed by Snake Oil CA (TEST)
WARNING: Do not use this certificate for real-life/production systems.
         However, you can use the generated Certificate Signing
         Request (CSR) for requesting a real Server Certificate
         from a commercial Certificate Authority (CA).
-------------------------------------------------------------------------

STEP 1: Generating RSA private key (2048 bit)
%  BLS0523 ELEMENT 'OPENSSL' [...]
----------------------------------------------------------------------

STEP 2: Generating X.509 certificate signing request
%  BLS0523 ELEMENT 'OPENSSL' [...]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Country Name             (2 letter code) [DE]:
*DE
2. State or Province Name   (full name)     [Bavaria]:
*Bavaria
3. Locality Name            (eg, city)      [Munich]:
*Munich
4. Organization Name        (eg, company)   [Manufacturer, Ltd]:
*Fujitsu Technology Solutions GmbH
5. Organizational Unit Name (eg, section)   [Marketing]:
*Internet Services
6. Common Name              (eg, FQDN)      [www.manufacturer.com]:
*ftp.ts.fujitsu.com
7. Email Address            (eg, name@FQDN) [info@manufacturer.com]:
*info@ts.fujitsu.com
----------------------------------------------------------------------

STEP 3: Generating X.509 certificate signed by Snake Oil CA
%8. Certificate Validity     (days)         : 730
%Certificate Version (1 or 3)               : 3
%9. subjectAltName:dNSName   (eg, FQDN)     : ftp.ts.fujitsu.com
%  BLS0523 ELEMENT 'OPENSSL' [...]
Certificate request self-signature ok 
subject=C = DE, ST = Bavaria, L = Munich, O = Fujitsu Technology Solutions GmbH, 
 OU = Internet Services, CN = ftp.ts.fujitsu.com, emailAddress=info@ts.fujitsu.c
om
----------------------------------------------------------------------

STEP 4: Show generated X.509 certificate
%  BLS0523 ELEMENT 'OPENSSL' [...]
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 10 (0xa)
     Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = XY, ST = Snake Desert, L = Snake Town, O = Snake Oil, OU = C
ertificate Authority, CN=Snake Oil CA/emailAddress=ca@snakeoil.dom
        Validity
            Not Before: May 22 16:25:30 2024 GMT
            Not After : May 22 16:25:30 2026 GMT
        Subject: C = DE, ST = Bavaria, L = Munich, O = Fujitsu Technology Soluti
ons GmbH, OU = Internet Services, CN = ftp.ts.fujitsu.com, emailAddress = info@t
s.fujitsu.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:cd:b1:16:04:f0:2c:70:99:e6:ee:1d:81:1e:20:
                    45:20:51:92:0c:34:a5:d4:56:15:06:98:09:bb:2c:
                    2c:3c:9d:03:6c:67:7f:f0:15:a8:87:ae:a2:13:dc:
                    ce:d7:f1:fd:6a:a3:59:96:fb:67:58:77:ff:cc:cf:
                    ff:1e:0c:a6:eb:dd:24:31:24:46:a9:b5:1a:0d:e1:
                    61:dd:84:7a:af:c5:5d:4d:15:d0:dc:7e:48:7d:5a:
                    de:bd:4f:bd:d7:5e:4c:fd:c3:fe:7e:10:44:a9:22:
                    21:cf:46:46:2d:2c:0f:cf:9a:13:d1:0d:03:74:83:
                    c9:40:3f:0d:26:da:d3:76:66:4c:a4:b8:9a:f4:98:
                    d8:14:c0:ef:ee:0b:03:e4:1b:d6:b4:b1:0d:15:a7:
                    20:1d:e4:e4:57:c2:ef:c8:6d:c3:d8:95:d2:b1:67:
                    9b:c3:e1:27:d7:e3:eb:6e:03:b9:18:00:58:45:cf:
                    6b:1c:f8:d9:6d:4f:0f:1a:f4:79:4b:90:7d:7b:43:
                    f7:f8:c2:40:a1:78:dc:20:8f:ec:45:b6:40:4d:53:
                    a2:a7:73:eb:bf:87:21:69:44:fb:b0:79:f2:e5:5a:
                    70:94:46:15:3d:62:b9:92:63:58:78:68:12:ba:f7:
                    72:84:f1:92:d6:91:27:6d:f7:1f:f1:34:f8:79:0d:
                    e2:99
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:ftp.ts.fujitsu.com, email:info@ts.fujitsu.com
            Netscape Comment:
                interNET SERVICES generated test server certificate
            X509v3 Subject Key Identifier:
                2F:92:85:41:E5:93:17:8B:E0:EC:35:49:EC:64:B5:4A:BA:9F:AE:27
            X509v3 Authority Key Identifier:
                DirName:/C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil/OU=Certif
icate Authority/CN=Snake Oil CA/emailAddress=ca@snakeoil.dom
                serial:01
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        52:68:85:7e:03:1e:e7:92:93:c9:d2:6a:0b:66:a5:a1:0f:89:
        b5:e8:f0:ee:ab:74:30:6b:90:38:79:ae:9c:19:d0:20:c3:8e:
        9f:25:ea:1b:18:00:3f:b2:df:98:e8:ec:76:5c:07:ef:83:ab:
        67:bb:c0:66:c7:45:cc:e0:ed:e0:3f:ff:04:43:17:9b:f2:63:
        99:e7:28:5f:12:bf:e7:25:4f:11:f6:a2:16:fb:fb:f9:e5:49:
        2e:f5:49:65:f8:a0:bd:c7:7a:ea:31:c4:9d:d3:44:eb:c3:d0:
        b8:18:8f:2c:4c:02:a9:d7:aa:81:e4:59:71:c3:b8:57:26:f1:
        dd:cc:80:50:0f:72:8d:c4:4a:94:61:33:ad:b2:bb:67:99:fe:
        ab:47:7b:33:03:80:9b:d1:45:6d:cb:07:f6:58:b8:84:9c:3b:
        cf:fe:be:e2:b4:2a:ab:b3:eb:00:e5:e7:43:f6:54:c2:8b:ed:
        ac:7f:5d:f8:30:38:f8:8f:e9:cf:eb:9d:c2:df:41:17:8c:4e:
        2e:8d:e9:d7:da:40:16:68:72:bb:9a:bc:7f:05:c8:00:d5:30:
        b5:70:aa:29:83:a2:c2:e5:12:31:ce:4e:fc:37:1e:4a:71:b4:
        74:7c:cb:2c:67:ac:28:e6:62:b4:50:00:a8:80:6b:35:a2:cb:
        cb:d6:1d:dc
----------------------------------------------------------------------

RESULT: Server certification files

o SYSDAT.TCP-IP-AP.nnn.NEW.KEY
  The PEM encoded RSA private key file. KEEP THIS FILE PRIVATE.

o SYSDAT.TCP-IP-AP.nnn.NEW.CERT
  The PEM encoded X.509 certificate file.
  WARNING: Do not use this certificate for real-life/production
           systems.

o SYSDAT.TCP-IP-AP.nnn.NEW.CSR
  The PEM encoded X.509 certificate signing request file which you
  can send to an official Certificate Authority (CA) in order to
  request a real server certificate (signed by this CA instead of
  our demonstration only Snake Oil CA) which later can replace the
  SYSDAT.TCP-IP-AP.nnn.NEW.CERT file.
Powered by Atlassian Confluence and Scroll Viewport.