The command procedure SSL$EXAMPLES_SETUP.TEMPLATE (located
in SYS$COMMON:[SYSHLP.EXAMPLES.SSL]) is a template that sets up
the certificate and keys so you can run the example programs included
with HP SSL. SSL$EXAMPLES_SETUP.TEMPLATE does the following:
Creates a Certificate Authority (CA) certificate
Creates server and client certificate requests
The CA signs the two certificate requests
Creates server and client certificates
To execute this command procedure, be sure that SSL$STARTUP.COM
and SSL$UTILS.COM have been run, then remove the comment characters
from the commands.
The following program listing shows SSL$EXAMPLES_SETUP.TEMPLATE.
$! $! SSL$EXAMPLES_SETUP.COM -- $! $! This command procedure is actually a template that will show $! the commands necessary to create certificates and keys for the example $! programs. $! $! Also included in this file are the necessary options to enter into the $! SSL$CERT_TOOL.COM to create the necessary certificates and keys to the $! example programs. The SSL$CERT_TOOL.COM is found in SSL$COM. See the $! documenation for more information about the SSL$CERT_TOOL.COM. $! $! 1. Create CA certificate - option 5 in SSL$CERT_TOOL.COM. $! This will create a key in one file, named SSL$KEY:SERVER_CA.KEY $! by default, and a certificate in another file, named $! SSL$CERT:SERVER_CA.CRT by default. $! $! 2. Make 2 copies of CA certificate created in step #1. $! One should be called server_ca.crt and the other called $! client_ca.crt as these are the filenames defined in the $! example programs. You will have to exit the SSL$CERT_TOOL.COM $! procedure to do this operation from the DCL command line. $! For example: $! $ COPY SSL$KEY:SERVER_CA.KEY SSL$KEY:CLIENT_CA.KEY $! $ COPY SSL$CERT:SERVER_CA.CRT SSL$CERT:CLIENT_CA.CRT $! $! 3. Create a server certificate signing request - option 3 in SSL$CERT_TOOL.COM. $! The Common Name should be the TCP/IP hostname of the server system. $! The default name of the request is SERVER.CSR. The corresponding private $! key is named SERVER.KEY. $! $! 4. Sign server certificate signing request - option 6 in SSL$CERT_TOOL.COM $! Use the CA certificate, SERVER_CA.CRT, created in step #1 to sign the request $! created in step #3. This will create a certificate file, which should be $! named SERVER.CRT. This is the name as it is defined in example programs. $! $! 5. Create a client certificate signing request - option 3 in SSL$CERT_TOOL.COM. $! $! 6. Sign client certificate signing request - option 6 in SSL$CERT_TOOL.COM $! Use the CA certificate, CLIENT_CA.CRT, created in step #1 to sign the request $! created in step #5. This will create a certificate file, which should be $! named CLIENT.CRT. This is the name as it is defined in example programs. $! $! 7. These certificates and keys should reside in the same directory as $! the example programs. $! $! $! $! $! The commands have been changed to use generic data as $! input. To use these commands, one will have to substitute $! the generic data with data specific to their site. $! For example, yourcountry could be change to US. It is $! assumed that the SSL startup file, SYS$STARTUP:SSL$STARTUP.COM, $! and the SSL$COM:SSL$UTILS.COM procedures have been executed. $! $! $! Check to make sure SSL has been started, so $! we can use the logicals that it defines. $! $! $ if f$trnlnm(“SSL$ROOT”) .eqs. ““ $! $ then $! $ write sys$output “SSL needs to be started. Execute SYS$STARTUP:SSL$STARTUP,” $! $ write sys$output “then try this procedure again.” $! $ endif $! $! Check to make sure SSL$UTILS has been executed, so $! we can use the foreign commands that it sets up. $! $! $ if f$type(OPENSSL) .eqs. ““ $! $ then $! $ @SSL$COM:SSL$UTILS $! $ endif $! $! Check to make sure the SERIAL and INDEX files exist. $! If they don’t, create them. $! $! $ if f$search (“SSL$ROOT:[DEMOCA]SERIAL.TXT”) .eqs. ““ $! $ then $! $ CREATE SSL$ROOT:[DEMOCA]SERIAL.TXT $! 01 $! $ endif $! $! $ if f$search (“SSL$ROOT:[DEMOCA]INDEX.TXT”) .eqs. ““ $! $ then $! $ CREATE SSL$ROOT:[DEMOCA]INDEX.TXT $! $ endif $! $! Create the CA certificate. $! $! $ define/user sys$command sys$input $! $ openssl req -config ssl$root:[000000]openssl-vms.cnf -new -x509 -days 1825 - $! -keyout ssl$key:server_ca.key -out ssl$certs:server_ca.crt $! yourpassword $! yourpassword $! yourcountry $! yourstate $! yourcity $! yourcompany $! yourdepartment $! your Certificate Authority certificate $! firstname.lastname@yourcompany.com $! $! Copy the server_ca.* to client_ca.* so that the CA can $! be loaded on each side. $! $! $ copy ssl$key:server_ca.key ssl$key:client_ca.key $! $ copy ssl$certs:server_ca.crt ssl$certs:client_ca.crt $! $! $! $! $! $! $! Create the server certificate request. $! $! $! $! Note : There is no way to use the value of a $! $! symbol when you are using the value of $! $! symbol as input, as we do below. To get $! $! around, we create a .COM on the fly and $! $! execute the created .COm file to create $! $! the server certificate. $! $! $! $ hostname = f$trnlnm(“tcpip$inet_host”) $! $ domain = f$trnlnm(“tcpip$inet_domain”) $! $ server_name = hostname + “.” + domain $! $! $! $ open/write s_com create_s_cert.com $! $! $! $ write s_com “$!” $! $ write s_com “$ define/user sys$command sys$input” $! $ write s_com “$ openssl req -new -nodes -config ssl$root:[000000]openssl-vms.cnf” - $! + “-keyout ssl$key:server.key -out ssl$certs:server.csr” $! $ write s_com “yourcountry” $! $ write s_com “yourstate” $! $ write s_com “yourcity” $! $ write s_com “yourcompany” $! $ write s_com “yourdepartment” $! $ write s_com “‘’server_name’” $! $ write s_com “firstname.lastname@yourcompany.com” $! $ write s_com ““ $! $ write s_com ““ $! $! $! $ close s_com $! $ @create_s_cert $! $ delete create_s_cert.com; $! $! $! $! $! $! Now, sign the server certificate ... $! $! $! $ define/user sys$command sys$input $! $ openssl ca -config ssl$root:[000000]openssl-vms.cnf -cert ssl$certs:server_ca.crt -keyfile ssl$key:server_ca.key - $! -out ssl$certs:server.crt -infiles ssl$certs:server.csr $! yourpassword $! Y $! Y $! $! $! $! $! $! Create the client certificate request. $! $! $! $ define/user sys$command sys$input $! $ openssl req -new -nodes -config ssl$root:[000000]openssl-vms.cnf - $! -keyout ssl$key:client.key -out ssl$certs:client.csr $! yourcountry $! yourstate $! yourcity $! yourcompany $! yourdepartment $! yourname $! firstname.lastname@yourcompany.com $! $! $! $! $! $! $! $! Now, sign the client certificate ... $! $! $! $ define/user sys$command sys$input $! $ openssl ca -config ssl$root:[000000]openssl-vms.cnf -cert ssl$certs:client_ca.crt -keyfile ssl$key:client_ca.key - $! -out ssl$certs:client.crt -infiles ssl$certs:client.csr $! yourpassword $! Y $! Y $! $! $! $! Let’s view the CA certificate. $! $! $! $ openssl x509 -noout -text -in ssl$certs:server_ca.crt $! $! $! $! $! $! Let’s view the Server Certificate Request. $! $! $! $ openssl req -noout -text -in ssl$certs:server.csr $! $! $! $! Let’s view the Server Certificate. $! $! $! $ openssl x509 -noout -text -in ssl$certs:server.crt $! $! $! $! Let’s view the Client Certificate Request. $! $! $! $ openssl req -noout -text -in ssl$certs:client.csr $! $! $! $! Let’s view the Client Certificate. $! $! $! $ openssl x509 -noout -text -in ssl$certs:client.crt $! $! $! $! $! $! Lastly, move the certificates and keys to the directory $! $! in which you are building/running the examples. $! $! $exit
