With the procedure MAKE.SELF-SIGNED-CERT you can generate a private RSA key (2048 bit) and a related self-signed X.509 certificate. This procedure was created especially in view of usage with the TLS proxy stunnel (see the interNet Services Administrator Guide) in connection with TLS encrypted MT9750 terminal emulation connections. MAKE.SELF-SIGNED-CERT has following call parameters:
Parameters for specification of files for private key and self-signed certificate
The parameters KEYFILE, CERTFILE and SERVERFILE specificate the files into which the private key, the related self-signed certificate and the combination of the two are stored.
KEYFILE
This parameter specifies the file, into which the private 2048 bit RSA key is stored.
The parameter defaults to SYSDAT.TCP-IP-AP.nnn.NEW.KEY.
CERTFILE
This parameter specifies the file, into which the generated self-signed certificate is stored.
The parameter defaults to SYSDAT.TCP-IP-AP.nnn.NEW.CERT.
SERVERFILE
In some use cases one can deliver private key and related certificate to the application in a single file. For minimizing the effort in such cases the procedure does the copying into a single file itself. The target file for this is specified with the SERVERFILE parameter.
The parameter defaults to SYSDAT.TCP-IP-AP.nnn.SERVER.PEM.
Parameters for certificate generation
COMMON-NAME
This parameter specifies the Common Name of the self-signed X.509 certificate. With self-signed certificates the Common Name has no particular meaning; but one can give the certificates special Common Names for easier internal administration of the contained public keys.
This parameter defaults to 'self-signed server certificate'.
CERT-VALIDITY
This parameter specifies (in days) the validity period of the self-signed X.509 certificate. With self-signed certificates the validity period has normally no particular meaning, so that one can take the default, if there are no special requirements.
This parameter defaults to 365.
BATCH
This parameter specifies whether the generation of the self-signed certificate is done interactively or not. With the interactive generation one gets the opportunity to modify in a dialog some certificate parameters (Country Name, Organization Name and Common Name), whereas in batch mode the fixated certificate parameters "Country Name" = DE, "Organization Name" = Fujitsu and "Common Name" = value of COMMON-NAME parameter are used. One gets the batch mode with the parameter specification 'YES'.
This parameter defaults to 'NO'.
Procedure run
After the call the procedure operates as following:
- The RSA key pair with 2048 bit key length and a related self-signed certificate are generated.
- The generated certificate is shown in plain text.
- The SHA1 and SHA256 fingerprints of the certificate are computed and displayed.
The fingerprints of the certificate can be used later for ensuring indirectly the authenticity of the enclosed public key.
Example
A recording of a procedure run is shown subsequently. The user input is emphasized with bold face.
/CALL-PROCEDURE FROM-FILE=*LIBRARY-ELEMENT(LIBRARY=$TSOS.SYSSPR.TCP-IP-AP.nnn,-
/ ELEMENT=MAKE.SELF-SIGNED-CERT)
SSL Certificate Generation Utility Copyright (c) [...] Fujitsu Technology Solutions GmbH All Rights Reserved Generating and displaying self signed certificate ------------------------------------------------------------------------- STEP 1: Generating key and self-signed X.509 certificate % BLS0523 ELEMENT 'OPENSSL' [...] ..+............+.+.....+............+...++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++*.+...+...+...+......+.....+.+..+...+...+.........+.... ...+.....+....+..+..........+...+..+.......+++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++*.+......+....+..+.+...+++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++ ...+...+............+..+.+.....+.....................+......+..........+..+..... .............+............+.......+...+..+.+..+.+.....+.+.....+.+.........+..... .+.....+...............+.........+.+.....+....+...++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++*.....+.+++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++*..+....+......+......+.........+...+...+...+....... .......+.+.....+.+......+........+.+...+..+.+............+.....+..........+..+.. .......+.......+.....+....+...+......+++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++ ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: *DE
Organization Name (e.g. company) [Fujitsu]: *Fujitsu Technology Solutions GmbH
Common Name (e.g. FQDN) [self-signed server certificate]: *Self signed certificate #0123
---------------------------------------------------------------------- STEP 2: Show generated X.509 certificate % BLS0523 ELEMENT 'OPENSSL' [...] Certificate: Data: Version: 3 (0x2) Serial Number: 1d:88:71:65:35:da:61:ec:45:14:9d:ad:0a:fb:4c:ce:4b:6f:d7:a5 Signature Algorithm: sha256WithRSAEncryption Issuer: C = DE, O = Fujitsu Technology Solutions GmbH, CN = Self signed certificate #0123 Validity Not Before: May 22 14:57:27 2024 GMT Not After : May 22 14:57:27 2025 GMT Subject: C = DE, O = Fujitsu Technology Solutions GmbH, CN = Self signed certificate #0123 Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c9:69:51:be:97:b5:55:22:90:cb:ca:cd:92:61: c1:72:cf:b0:d6:30:70:72:b8:63:c7:09:58:79:53: 6e:c5:a8:fd:cf:7a:64:55:ce:c0:2f:4f:48:79:f7: a4:97:36:ca:15:c4:ab:8b:4f:5f:12:18:04:8a:a2: fe:dc:4b:b9:b3:da:52:2e:c5:47:4a:e1:a0:7e:05: 1d:89:9c:7b:ba:3b:90:9e:92:42:67:93:d1:cb:c7: d8:f0:4a:5b:5e:27:50:d7:1f:49:d7:92:ba:54:5a: 18:9f:16:81:4d:8b:1d:5b:72:c3:3c:d8:df:d0:9f: 92:bd:eb:83:c6:2d:2f:71:ca:93:43:00:6a:c2:79: af:c5:ed:7e:a5:d9:a3:14:6c:76:15:f7:78:cf:b6: b6:f3:ee:e9:d4:6e:93:f2:10:8b:45:df:8a:f4:92: 35:08:85:b9:26:21:61:21:b4:06:a6:57:ee:f7:3d: 5a:69:67:ca:1d:ec:9c:a8:51:fc:4d:a5:a4:1c:17: d9:81:6b:a7:d4:83:24:64:da:79:bd:33:0a:31:f0: 73:8c:0b:2d:2a:14:56:68:e7:56:0b:19:de:bd:d4: 77:67:d6:5d:4b:e6:fb:a5:3e:61:a8:b2:5b:86:39: 34:2a:9d:58:c1:13:8a:0c:11:25:69:62:5c:5a:c2: bb:97 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: 07:7B:89:D9:BE:B0:97:CD:FB:5C:92:CE:09:00:A3:9F:6D:78:70:F0 Signature Algorithm: sha256WithRSAEncryption Signature Value: 14:ed:ba:ee:70:9b:b5:a8:0a:3e:9b:2e:ba:7a:e3:72:01:04: 5a:ff:53:e1:ac:be:03:00:22:0e:f6:0e:23:5b:c2:20:b8:ea: 8f:6e:6a:23:0d:4e:8a:4d:c9:de:01:42:24:ca:86:35:ae:be: dc:f4:e3:6e:93:81:8c:4e:f5:af:c3:2c:87:94:67:1f:41:53: 93:23:dd:2b:a1:21:d4:5b:6e:dd:c4:5f:f5:2a:ee:26:23:b2: a3:ca:22:25:5b:53:d1:ed:5d:9e:1d:91:2e:29:1c:b1:03:85: 7a:b6:9d:23:22:8a:07:72:13:cd:e5:f6:13:2a:f3:a2:13:ce: 68:fb:18:3a:5b:bf:27:38:a8:5c:14:8d:06:72:26:71:36:04: f3:4a:ad:53:26:b3:da:0e:51:df:fa:0c:99:ae:18:9b:61:2b: 7e:1f:7e:96:1b:9f:17:d5:a6:c0:86:b1:70:24:e5:5e:b3:35: cb:cc:87:0f:01:bd:a6:2e:fd:86:59:e5:26:65:5e:68:c3:30: 43:61:62:e1:d0:eb:f0:cf:c4:71:6b:9f:47:ed:df:87:9e:01: 10:7b:c4:2e:0d:37:2b:c8:e0:64:e5:fd:76:07:bb:13:70:f1: 02:76:32:be:43:c7:da:95:c4:55:d9:71:9e:22:18:60:9b:47: 3b:e6:89:1f SHA1 Fingerprint=09:0A:E0:D7:8E:4D:F6:F2:73:04:A2:2E:FA:9F:DC:42:49:DC:3F:E6 % BLS0523 ELEMENT 'OPENSSL' [...] sha256 Fingerprint=C7:7E:D3:46:D1:F9:E0:59:3F:0B:3C:44:A8:57:DD:9C:77:8E:9B:DD:D 5:DC:3E:58:66:E6:DC:20:C4:89:F6:5E ---------------------------------------------------------------------- RESULT: Server certification files o SYSDAT.TCP-IP-AP.nnn.NEW.KEY The PEM encoded RSA private key file. KEEP THIS FILE PRIVATE. o SYSDAT.TCP-IP-AP.nnn.NEW.CERT The PEM encoded self-signed X.509 certificate file. o SYSDAT.TCP-IP-AP.nnn.SERVER.PEM The PEM encoded file containing both the private key and the self-signed X.509 certificate file. KEEP THIS FILE PRIVATE. |