Advantage Database Server

TLS Certificates

Advantage Concepts

TLS Certificates

Advantage Concepts

 Previous topic Next topic  

TLS Certificates

Advantage Concepts

 Previous topic Next topic  

Creating a Self-Signed Certificate for TLS Communications

In order to use Transport Layer Security (TLS), it is necessary to have a digitally signed certificate. These certificates can be purchased through a number of companies such as Thawte, VeriSign, and GeoTrust.

 

Depending on the usage scenario and requirements, however, you may want to use a self-signed certificate. There are a number of books and web sites that discuss the creation of digital certificates. The following is not meant to be a replacement for that information but rather is a very brief overview of steps that can be used to create a self-signed certificate on a Windows PC.

 

Make sure the OpenSSL command line executable (openssl.exe in Windows) is in your path along with the libraries libeay32.dll and ssleay32.dll.
Set the OPENSSL_CONF environment variable to point to your OpenSSL configuration file (openssl.cnf).
Edit the configuration file (openssl.cnf) to verify it has the desired settings. Examine all the values in it, particularly the paths and distinguished name information (common name, email address, etc.).
Run the commands to create the public and private key for the "certificate authority", the signing request, and the signed certificate. Example commands for doing this are shown in this script.

 

 

Example openssl.cnf file

 

openssl_conf = openssl_init

 

[openssl_init]

alg_section = algs

 

[ ca ]

default_ca = MyCertAuth

 

 

[ algs ]

fips_mode = yes

 

[ MyCertAuth ]

dir              = c:/adscert

certificate      = $dir/clientcert.pem

database         = $dir/index.txt

new_certs_dir    = $dir/certs

private_key      = $dir/private/certificateauthoritykey.pem

serial           = $dir/serial

 

default_crl_days = 7

default_days     = 365

default_md       = sha1

 

policy           = MyCertAuth_policy

x509_extensions  = certificate_extensions

 

name_opt        = ca_default            # Subject Name options

cert_opt        = ca_default            # Certificate field options

 

[ MyCertAuth_policy ]

commonName             = match

stateOrProvinceName    = supplied

countryName            = supplied

emailAddress           = optional

organizationName       = supplied

organizationalUnitName = optional

 

[ certificate_extensions ]

basicConstraints = CA:false

 

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid,issuer

 

 

[ req ]

default_bits            = 2048

default_keyfile         = c:/adscert/private/certificateauthoritykey.pem

default_md              = sha1

 

prompt                  = no

 

distinguished_name      = root_ca_distinguished_name

x509_extensions         = root_ca_extensions

 

[ root_ca_distinguished_name ]

commonName              = www.mysite.com

stateOrProvinceName     = ST

countryName             = US

emailAddress            = my@email.com

organizationName        = myorganization

 

[ root_ca_extensions ]

basicConstraints        = CA:true