You can use the MAKE.CERT procedure to generate test certificates and CSRs (RSA or DSA, 2048/1024 bits). MAKE.CERT has a number of call parameters.
Parameters for specifying the Snakeoil Certificate Authority (CA)
The parameters CA-SERIALFILE, CA-CERTFILE and CA-KEYFILE specify the files for the Snakeoil CA. With the aid of this CA you can use generated CSRs to create test certificates that allow you to test the TLS functionality before you purchase a “proper” certificate. The test certificates created by this Snakeoil CA may not be used for productive operation as they are not trustworthy. (The private key of this CA is not secret, so anyone who has access to this key can issue any certificate they wish, signed by the Snakeoil CA.)
CA-SERIALFILE
This parameter specifies the file in which the serial number of the generated test certificate is stored.
If this file does not exist when the procedure is called, it is created and initialized with a line containing “00”. As this number is entered in the relevant test certificate and some applications use this serial number to distinguish the certificates issued by a particular CA, this file should not be deleted after it has been generated once. If it is deleted, test certificates with the same serial number could be generated. This can lead to problems with the aforementioned applications.
The parameter defaults to SYSDAT.TCP-IP-AP.nnn.SNAKEOIL.SRL.
CA-CERTFILE
This parameter specifies the file in which the root certificate of the Snakoil CA is stored.
The parameter defaults to SYSDAT.TCP-IP-AP.nnn.SNAKEOIL.CERT.
CA-KEYFILE
This parameter specifies the file in which the private key of the Snakoil CA is stored.
The parameter defaults to SYSDAT.TCP-IP-AP.nnn.SNAKEOIL.KEY.
Parameter for specifying the generation data for the DSA key
DSA-PARAMFILE
This parameter specifies the file in which the parameters required for generating a DSA key are stored.
The parameter defaults to SYSDAT.TCP-IP-AP.nnn.DSAPARAM.
Parameters for specifying the test certificate, private key and CSR
The parameters CERTFILE, KEYFILE and CSRFILE specify the files in which the test certificate, the associated private key and the Certificate Signing Request (CSR) are stored.
CERTFILE
This parameter specifies the file in which the generated test certificate is stored. The name of this file can be specified in the RSA-CERTIFICATE-FILE operand of the FTP installation command (see the “interNet Services Administrator Guide”).
The parameter defaults to SYSDAT.TCP-IP-AP.nnn.NEW.CERT.
KEYFILE
This parameter specifies the file in which the private key belonging to the test certificate and CSR is stored. The name of this file can be specified in the RSA-KEY-FILE operand of the FTP installation command. The content of this file must be kept secret, especially if you later intend to apply for a certificate for productive operation with the associated CSR (see the “interNet Services Administrator Guide”).
The parameter defaults to SYSDAT.TCP-IP-AP.nnn.NEW.KEY.
CSRFILE
This parameter specifies the file in which the CSR is stored. When you wish to obtain a certificate for productive operation, send this file to a commercial CA. After you have received the certificate from the CA, you may reinstall FTP, but then you must specify in the RSA-CERTIFICATE-FILE operand the file name of the certificate you received from the CA.
The parameter defaults to SYSDAT.TCP-IP-AP.nnn.NEW.CSR.
Parameters for determining the key type and passphrase encryption
KEY-TYPE
This parameter species whether an RSA or a DSA key is to be generated (RSA / DSA).
The parameter defaults to RSA.
KEY-ENCRYPTION
This parameter species whether the generated RSA or DSA key is to be encrypted with a passphrase (YES / NO):
Encryption of the private RSA or DSA key makes little sense for a server as the server then asks for the passphrase when it starts up and can therefore no longer be started automatically.
If the generated key is to be used for a client certificate, this encryption of the private key can make sense.
The parameter defaults to NO.
Procedure run
After it has been called, the procedure behaves as follows:
The RSA or DSA key pair is generated with a key length of 2048/1024 bits.
The X.509 CSR is generated. For this purpose, some information is queried from the calling party in interactive mode.
A test certificate is generated from the CSR with the aid of the Snakeoil CA.
For this purpose, further information is queried from the calling party:
Validity period of the test certificate
Version of the certificate (X.509v1 or X.509v3)
If “3” is specified (X.509v3), the DNS name is queried in subjectAltName. The DNS name is generally identical to the “Common Name” (CN) under 2).
The generated certificate is displayed in plain text.
Example
A log from a procedure call is printed below. The user entries are highlighted in bold print.
/CALL-PROCEDURE *LIB($.SYSSPR.TCP-IP-AP.nnn,MAKE.CERT)
SSL Certificate Generation Utility Copyright (c) [...] Fujitsu Technology Solutions, All Rights Reserved Generating test certificate signed by Snake Oil CA (TEST) WARNING: Do not use this certificate for real-life/production systems. However, you can use the generated Certificate Signing Request (CSR) for requesting a real Server Certificate from a commercial Certificate Authority (CA). ------------------------------------------------------------------------- STEP 1: Generating RSA private key (2048 bit) % BLS0523 ELEMENT 'OPENSSL' [...] ---------------------------------------------------------------------- STEP 2: Generating X.509 certificate signing request % BLS0523 ELEMENT 'OPENSSL' [...] You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- 1. Country Name (2 letter code) [DE]: *DE
2. State or Province Name (full name) [Bavaria]: *Bavaria
3. Locality Name (eg, city) [Munich]: *Munich
4. Organization Name (eg, company) [Manufacturer, Ltd]: *Fujitsu Technology Solutions GmbH
5. Organizational Unit Name (eg, section) [Marketing]: *Internet Services
6. Common Name (eg, FQDN) [www.manufacturer.com]: *ftp.ts.fujitsu.com
7. Email Address (eg, name@FQDN) [info@manufacturer.com]: *info@ts.fujitsu.com
---------------------------------------------------------------------- STEP 3: Generating X.509 certificate signed by Snake Oil CA %8. Certificate Validity (days) : 730
%Certificate Version (1 or 3) : 3
%9. subjectAltName:dNSName (eg, FQDN) : ftp.ts.fujitsu.com
% BLS0523 ELEMENT 'OPENSSL' [...] Certificate request self-signature ok subject=C = DE, ST = Bavaria, L = Munich, O = Fujitsu Technology Solutions GmbH, OU = Internet Services, CN = ftp.ts.fujitsu.com, emailAddress=info@ts.fujitsu.c om ---------------------------------------------------------------------- STEP 4: Show generated X.509 certificate % BLS0523 ELEMENT 'OPENSSL' [...] Certificate: Data: Version: 3 (0x2) Serial Number: 10 (0xa) Signature Algorithm: sha256WithRSAEncryption Issuer: C = XY, ST = Snake Desert, L = Snake Town, O = Snake Oil, OU = C ertificate Authority, CN=Snake Oil CA/emailAddress=ca@snakeoil.dom Validity Not Before: May 22 16:25:30 2024 GMT Not After : May 22 16:25:30 2026 GMT Subject: C = DE, ST = Bavaria, L = Munich, O = Fujitsu Technology Soluti ons GmbH, OU = Internet Services, CN = ftp.ts.fujitsu.com, emailAddress = info@t s.fujitsu.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cd:b1:16:04:f0:2c:70:99:e6:ee:1d:81:1e:20: 45:20:51:92:0c:34:a5:d4:56:15:06:98:09:bb:2c: 2c:3c:9d:03:6c:67:7f:f0:15:a8:87:ae:a2:13:dc: ce:d7:f1:fd:6a:a3:59:96:fb:67:58:77:ff:cc:cf: ff:1e:0c:a6:eb:dd:24:31:24:46:a9:b5:1a:0d:e1: 61:dd:84:7a:af:c5:5d:4d:15:d0:dc:7e:48:7d:5a: de:bd:4f:bd:d7:5e:4c:fd:c3:fe:7e:10:44:a9:22: 21:cf:46:46:2d:2c:0f:cf:9a:13:d1:0d:03:74:83: c9:40:3f:0d:26:da:d3:76:66:4c:a4:b8:9a:f4:98: d8:14:c0:ef:ee:0b:03:e4:1b:d6:b4:b1:0d:15:a7: 20:1d:e4:e4:57:c2:ef:c8:6d:c3:d8:95:d2:b1:67: 9b:c3:e1:27:d7:e3:eb:6e:03:b9:18:00:58:45:cf: 6b:1c:f8:d9:6d:4f:0f:1a:f4:79:4b:90:7d:7b:43: f7:f8:c2:40:a1:78:dc:20:8f:ec:45:b6:40:4d:53: a2:a7:73:eb:bf:87:21:69:44:fb:b0:79:f2:e5:5a: 70:94:46:15:3d:62:b9:92:63:58:78:68:12:ba:f7: 72:84:f1:92:d6:91:27:6d:f7:1f:f1:34:f8:79:0d: e2:99 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:ftp.ts.fujitsu.com, email:info@ts.fujitsu.com Netscape Comment: interNET SERVICES generated test server certificate X509v3 Subject Key Identifier: 2F:92:85:41:E5:93:17:8B:E0:EC:35:49:EC:64:B5:4A:BA:9F:AE:27 X509v3 Authority Key Identifier: DirName:/C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil/OU=Certif icate Authority/CN=Snake Oil CA/emailAddress=ca@snakeoil.dom serial:01 Signature Algorithm: sha256WithRSAEncryption Signature Value: 52:68:85:7e:03:1e:e7:92:93:c9:d2:6a:0b:66:a5:a1:0f:89: b5:e8:f0:ee:ab:74:30:6b:90:38:79:ae:9c:19:d0:20:c3:8e: 9f:25:ea:1b:18:00:3f:b2:df:98:e8:ec:76:5c:07:ef:83:ab: 67:bb:c0:66:c7:45:cc:e0:ed:e0:3f:ff:04:43:17:9b:f2:63: 99:e7:28:5f:12:bf:e7:25:4f:11:f6:a2:16:fb:fb:f9:e5:49: 2e:f5:49:65:f8:a0:bd:c7:7a:ea:31:c4:9d:d3:44:eb:c3:d0: b8:18:8f:2c:4c:02:a9:d7:aa:81:e4:59:71:c3:b8:57:26:f1: dd:cc:80:50:0f:72:8d:c4:4a:94:61:33:ad:b2:bb:67:99:fe: ab:47:7b:33:03:80:9b:d1:45:6d:cb:07:f6:58:b8:84:9c:3b: cf:fe:be:e2:b4:2a:ab:b3:eb:00:e5:e7:43:f6:54:c2:8b:ed: ac:7f:5d:f8:30:38:f8:8f:e9:cf:eb:9d:c2:df:41:17:8c:4e: 2e:8d:e9:d7:da:40:16:68:72:bb:9a:bc:7f:05:c8:00:d5:30: b5:70:aa:29:83:a2:c2:e5:12:31:ce:4e:fc:37:1e:4a:71:b4: 74:7c:cb:2c:67:ac:28:e6:62:b4:50:00:a8:80:6b:35:a2:cb: cb:d6:1d:dc ---------------------------------------------------------------------- RESULT: Server certification files o SYSDAT.TCP-IP-AP.nnn.NEW.KEY The PEM encoded RSA private key file. KEEP THIS FILE PRIVATE. o SYSDAT.TCP-IP-AP.nnn.NEW.CERT The PEM encoded X.509 certificate file. WARNING: Do not use this certificate for real-life/production systems. o SYSDAT.TCP-IP-AP.nnn.NEW.CSR The PEM encoded X.509 certificate signing request file which you can send to an official Certificate Authority (CA) in order to request a real server certificate (signed by this CA instead of our demonstration only Snake Oil CA) which later can replace the SYSDAT.TCP-IP-AP.nnn.NEW.CERT file. |