Advantage Database Server

TLS Certificates

Advantage Concepts

TLS Certificates

Advantage Concepts

Previous topic Next topic  

TLS Certificates

Advantage Concepts

Previous topic Next topic  

Creating a Self-Signed Certificate for TLS Communications

In order to use Transport Layer Security (TLS), it is necessary to have a digitally signed certificate. These certificates can be purchased through a number of companies such as Thawte, VeriSign, and GeoTrust.


Depending on the usage scenario and requirements, however, you may want to use a self-signed certificate. There are a number of books and web sites that discuss the creation of digital certificates. The following is not meant to be a replacement for that information but rather is a very brief overview of steps that can be used to create a self-signed certificate on a Windows PC.


Make sure the OpenSSL command line executable (openssl.exe in Windows) is in your path along with the libraries libeay32.dll and ssleay32.dll.
Set the OPENSSL_CONF environment variable to point to your OpenSSL configuration file (openssl.cnf).
Edit the configuration file (openssl.cnf) to verify it has the desired settings. Examine all the values in it, particularly the paths and distinguished name information (common name, email address, etc.).
Run the commands to create the public and private key for the "certificate authority", the signing request, and the signed certificate. Example commands for doing this are shown in this script.



Example openssl.cnf file


openssl_conf = openssl_init



alg_section = algs


[ ca ]

default_ca = MyCertAuth



[ algs ]

fips_mode = yes


[ MyCertAuth ]

dir              = c:/adscert

certificate      = $dir/clientcert.pem

database         = $dir/index.txt

new_certs_dir    = $dir/certs

private_key      = $dir/private/certificateauthoritykey.pem

serial           = $dir/serial


default_crl_days = 7

default_days     = 365

default_md       = sha1


policy           = MyCertAuth_policy

x509_extensions  = certificate_extensions


name_opt        = ca_default            # Subject Name options

cert_opt        = ca_default            # Certificate field options


[ MyCertAuth_policy ]

commonName             = match

stateOrProvinceName    = supplied

countryName            = supplied

emailAddress           = optional

organizationName       = supplied

organizationalUnitName = optional


[ certificate_extensions ]

basicConstraints = CA:false






[ req ]

default_bits            = 2048

default_keyfile         = c:/adscert/private/certificateauthoritykey.pem

default_md              = sha1


prompt                  = no


distinguished_name      = root_ca_distinguished_name

x509_extensions         = root_ca_extensions


[ root_ca_distinguished_name ]

commonName              =

stateOrProvinceName     = ST

countryName             = US

emailAddress            =

organizationName        = myorganization


[ root_ca_extensions ]

basicConstraints        = CA:true