Start the tool

Menu options:

1. How to view a certificate

2. How to view a certificate request

3. How to create a certificate request

4. How to create a self-signed certificate

5. How to create a certificate authority

6. How to sign a certificate request

7. How to hash certificate authorities

8. How to hash certificate revocations

Start the tool

Run the Certificate Tool with the following command:

$ @APACHE$COMMON:[000000]APACHE$CERT_TOOL.COM

View a certificate file

The contents of a certificate associate a public key with the real identity of an individual, server, or other entity, known as the subject. Information about the subject includes identifying information (the distinguished name ), and the public key. It also includes the identification and signature of the Certificate Authority that issued the certificate, and the period of time during which the certificate is valid. It may have additional information (or extensions) as well as administrative information for the Certificate Authority's use, such as a serial number.

Do the following:

1. Accept the default file specification (or type a new file specification to an alternate location) to the certificate directory to find files with a CRT extension:

The default directory specification of OPENSSL_ROOT:[CRT] is where certificates you sign are saved. Server certificates installed on your system can be found in APACHE$COMMON:[CONF.SSL_CRT] or APACHE$SPECIFIC:[CONF.SSL_CRT].

2. Select a certificate file by entering its number:

3. View the certificate details:

-Version SSL 3.0 protocol
-Serial number Certificates issued by a CA have a serial number that is unique to the certificates issued by that CA.
-Signature Algorithm
-Issuer
-Validity (inception and expiration dates)
-Public key information

View a certificate request file

A certificate request file is an unsigned certificate. It can be a server certificate request or a client certificate request.

Do the following:

 1. Type the file specification to the certificate request directory to find files with a .CSR extension:

2. Select a certificate request file:

3. View the certificate request details:

-Subject

-Public key information

-Signature Algorithm
-Issuer
-Validity (inception and expiration dates)

Create a certificate request

You can think of creating a certificate request (generating a *.CSR file) as representing an application form for a certificate. There are two categories of request:

• Server certificate request

This means preparing a certificate file to be signed by a trusted (root) CA in order to authenticate your server. You are the subject of the certificate and the CA you send it to will be the certificate issuer. For example, if you wanted to get a Thawte Server ID, you would create a certificate request and email the contents of this generated file to Thawte. The file you generate is a *.CSR file.

Thawte free test certificates  

• Client certificate request

This means preparing client certificate files that you sign and distribute to clients in order to authenticate them. The client is the subject of the certificate and you are the certificate issuer.

Do the following:

1. Enter the required information for the certificate:

-Encrypt Private Key? Using an encrypted private key forces the pass-phrase dialog to appear at startup time, requiring manual input.

Usage note: Do not use this option if using the mod_ssl directive SSLPassPhraseDialog with the default builtin option.

-Encryption Bits? 1024 bits is the largest recommended size.

Explanation: Encryption strength is often described in terms of the size of the keys used to perform the encryption: in general, longer keys provide stronger encryption. Key length is measured in bits. Private key sizes larger than 1024 bits are incompatible with some versions of Netscape Navigator and Microsoft Internet Explorer.

-Certificate Key File? Use OpenVMS syntax (usually, [OPENSSL_ROOT:[KEY]SERVER.KEY])
-Certificate Request File? Use OpenVMS syntax (usually, [OPENSSL_ROOT:[CRT]SERVER.CSR])

-Country Name? The remaining questions determine your server's Distinguished Name

-State or Province Name?
-City Name?
-Organization Name?
-Organization Unit Name?

-Common Name? Common name usage is different for client certificates than it is for server certificates. The common name on a client certificate is generally the proper name of the individual requesting a certificate. In the case of server certificates, the common name must be the same as your server's DNS host name (or virtual host name, if name-based virtual hosting is used).

 

Explanation: Browsers compare the common name in the server certificate with the host name of the server they are connecting to. These must match.

-Email Address?
-Display the Certificate?

Important: All fields must be completed to create a valid certificate request.

The certificate request is generated after responding to the last question.

2. View the details of the certificate request (if you chose to display the certificate):

-Subject

-Public key information

-Signature Algorithm

To see the encoded contents, exit the configuration utility and view the CSR file.

$ TYPE OPENSSL_ROOT:[CSR]SERVER.CSR

What you see is exacly what is required by the certificate authority. You may be required to send the file itself or just the contents of the file to your CA (according to the CA's instructions).

For example:

-----BEGIN CERTIFICATE REQUEST-----
MIIB/TCCAWYCAQAwgbwxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1OZXcgSGFtcHNo
aXJlMQ8wDQYDVQQHEwZOYXNodWExHjAcBgNVBAoTFUNvbXBhcSBDb21wdXRlciBD
b3JwLjEcMBoGA1UECxMTT3BlblZNUyBFbmdpbmVlcmluZzEaMBgGA1UEAxMRRkxJ
UDMuWktPLkRFQy5DT00xKjAoBgkqhkiG9w0BCQEWG3dlYm1hc3RlckBGTElQMy5a
S08uREVDLkNPTTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0/y8RxuE/COy
nVpeK00GgvbgFWxX1o89ULQTMVUSwmAzhdzbi3DZL5s85YRGdPVgYW2rWs1t2SQg
jMSlFTxta/CwW6Vwwn9GmdaJwkqGFxnpw2LmugexLfj+4t97AZyIR2O7gJxCINS5
CWg3tcn1ZUmqswjkrG8WehUN+2C6IBcCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GB
ABzgiiojPAcojLXGI2OFxJ5apORAHHHAyc0YCuhFXS1Rs2BIXHmM5xQuxk8yitc4
yViQfHhGDzpDmOwMKkK7t09UjQh9humKEUlAnS4VYLL4VlgenwLybcLLB0Q3aiQN
UjQw9RrXNWWZYVDenvrOwtbK9dFefb4PlZIAS2/Z4jLP
-----END CERTIFICATE REQUEST-----

If sending the contents, copy and paste everything and send to the CA using secure email or the appropriate enrollment form. What the CA returns to you will be a digitally signed certificate.

For example:

-----BEGIN CERTIFICATE-----
MIICeDCCAiICEEdpjxOzmJPyh5TiG8BRA70wDQYJKoZIhvcNAQEEBQAwgakxFjAU
BgNVBAoTDVZlcmlTaWduLCBJbmMxRzBFBgNVBAsTPnd3dy52ZXJpc2lnbi5jb20v
cmVwb3NpdG9yeS9UZXN0Q1BTIEluY29ycC4gQnkgUmVmLiBMaWFiLiBMVEQuMUYw
RAYDVQQLEz1Gb3IgVmVyaVNpZ24gYXV0aG9yaXplZCB0ZXN0aW5nIG9ubHkuIE5v
IGFzc3VyYW5jZXMgKEMpVlMxOTk3MB4XDTAwMDcwNzAwMDAwMFoXDTAwMDcyMTIz
NTk1OVowgZAxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1OZXcgSGFtcHNoaXJlMQ8w
DQYDVQQHFAZOYXNodWExHjAcBgNVBAoUFUNvbXBhcSBDb21wdXRlciBDb3JwLjEc
MBoGA1UECxQTT3BlblZNUyBFbmdpbmVlcmluZzEaMBgGA1UEAxQRRkxJUDMuWktP
LkRFQy5DT00wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANP8vEcbhPwjsp1a
XitNBoL24BVsV9aPPVC0EzFVEsJgM4Xc24tw2S+bPOWERnT1YGFtq1rNbdkkIIzE
pRU8bWvwsFulcMJ/RpnWicJKhhcZ6cNi5roHsS34/uLfewGciEdju4CcQiDUuQlo
N7XJ9WVJqrMI5KxvFnoVDftguiAXAgMBAAEwDQYJKoZIhvcNAQEEBQADQQAySLLe
U7nMLJ+QkRld6iqKjU2VotphPvgWMGsJ+TKqUI4MXaAv0zQxtBni1N8s0LXVNCuJ
lEzBYjSbgbgEhJJA
-----END CERTIFICATE-----

The CA-signed certificate contains the following:

-Your organization's common name (www.<yourserver>)
-Additional identifying information (IP and physical address)
-Your public key
-Expiration date of the public key
-Name of the CA that issued the ID
-A unique serial number. Every certificate issued by a CA has a serial number that is unique to the certificates issued by that CA.
-CA's digital signature

Installing certificates
A signed certificate needs to be installed, along with the key you generated when creating the request, by saving or copying the respective files to their correct directories and restarting the server. For the certificate file, this is either APACHE$COMMON:[CONF.SSL_CRT] or APACHE$SPECIFIC:[CONF.SSL_CRT] . For the key file, this is either APACHE$COMMON:[CONF.SSL_KEY] or APACHE$SPECIFIC:[CONF.SSL_KEY].

For example:

$ COPY APACHE$SPECIFIC:[OPENSSL.CRT]SERVER.CRT APACHE$SPECIFIC:[CONF.SSL_CRT]

$ COPY APACHE$SPECIFIC:[OPENSSL.KEY]SERVER.KEY APACHE$SPECIFIC:[CONF.SSL_KEY]

Installing a server certificate

Create a self-signed certificate

Creating a self-signed certificate is an essential first step after installing CSWS with SSL. The server will not start without the presence of a properly signed and installed certificate. This procedure is performed for you automatically by the CSWS installation process when you run APACHE$CONFIG.COM and choose to enable mod_ssl . Therefore, this command is only required if the certificate file requires changing or replacing because it has expired.

Do the following:

1. Enter the required information for the self-signed certificate:

-Encrypt Private Key? Using an encrypted private key forces the Pass Phrase dialog to appear at startup time.

-Encryption Bits? 1024 bits is the largest recommended size.

Explanation: Encryption strength is often described in terms of the size of the keys used to perform the encryption: in general, longer keys provide stronger encryption. Key length is measured in bits. Private key sizes larger than 1024 bits are incompatible with some versions of Netscape Navigator and Microsoft Internet Explorer.

-Certificate Key File? Use OpenVMS syntax (usually, [OPENSSL_ROOT:[KEY]SERVER.KEY])
-Certificate File? Use OpenVMS syntax (usually, [OPENSSL_ROOT:[CRT]SERVER.CRT])

-Country Name? The remaining questions determine your server's Distinguished Name

-State or Province Name?
-City Name?
-Organization Name?
-Organization Unit Name?

-Common Name? This must be the same as your server's DNS host name (or virtual host name, if name-based virtual hosting is used).

 

Explanation: Browsers compare the common name in the server certificate with the host name of the server they are connecting to. These must match.

 

-Email Address?
-Display the Certificate?

Important: All fields must be completed to create a valid self-signed certificate.

The inception time of a certificate is based on UTC (Coordinated Universal Time). Check with your system administrator that your computer's UTC is set correctly if you want to use the self-signed certificate right away.   Setting Correct Time Zone Information on Your System

The self-signed certificate is generated after responding to the last question.

2. View the details of the self-signed certificate (if you chose to display the certificate):

-Version SSL 3.0 protocol
-Serial number Certificates issued by a CA have a serial number that is unique to the certificates issued by that CA.
-Signature Algorithm
-Issuer
-Validity (inception and expiration dates)

-Public key information

Create a certificate authority

Creating a certificate authority (CA) means you can issue certificates using your own private key. The corresponding CA public key is itself contained within a certificate, called a CA Certificate. You must distribute this certificate to clients for them to access your server. A browser must contain this CA Certificate in its "trusted root library" in order to "trust" certificates signed by the CA's private key.

Do the following:

1. Enter the required information to create a certificate authority:

-PEM Pass Phrase?
-Confirm PEM Pass Phrase?

-Encryption Bits? 1024 bits is the largest recommended size.

Explanation: Encryption strength is often described in terms of the size of the keys used to perform the encryption: in general, longer keys provide stronger encryption. Key length is measured in bits. Private key sizes larger than 1024 bits are incompatible with some versions of Netscape Navigator and Microsoft Internet Explorer.

-Default Days? The default number of days until expiration for certificates issued by the CA.

Usage note: A large number, such as 1825 (5 years), is usually appropriate so that certificates signed with this key do not expire too soon.

-Certificate Key File? Use OpenVMS syntax (usually, OPENSSL_ROOT:[KEY]SERVER_CA.KEY)
-Certificate File? Use OpenVMS syntax (usually, OPENSSL_ROOT:[CRT]SERVER_CA.CRT)

-Country Name? The remaining questions determine your server's Distinguished Name

Usage note: A certificate authority may define a policy specifying which distinguished names are optional and which are required. It may also place requirements upon the field contents, as may users of certificates. As an example, a Netscape browser requires that the common name for a certificate representing a server has a name that matches a wildcard pattern for the domain name of that server, such as *.xyz.com. Source: mod_ssl Documentation

-State or Province Name?

-City Name?
-Organization Name?
-Organization Unit Name?

-Common Name? This can be any text string that you wish to use to identify the authority. It may be generic, such as "CA Authority", or more specific, such as "<NodeName>CA".

-Email Address?

-Display the Certificate?

Important: All fields must be completed to create a valid CA certificate.

The certificate is signed after responding to the last question.

2. View the details of the signed certificate (if you chose to display the certificate):

-Version SSL 3.0 protocol
-Serial number Certificates issued by a CA have a serial number that is unique to the certificates issued by that CA.
-Signature Algorithm
-Issuer Your distinguished name
-Validity (inception and expiration dates)

-Public key information

Hash certificate authorities

This command is required to PEM-encode third-party certificate files and files you create using Option 5 (which by default are named SERVER_CA.CRT). The mod_ssl directives related to CA certificate management (SSLCACertificatePath and SSLCACertificateFile) require hashed files in order to work.

1. Enter the path in which you have installed your CA files.

By default, this is: APACHE$ROOT:[CONF.SSL_CRT]*.CRT

2. Press Return to hash the certificate files at the specified location.

This example would hash the *.CRT files found in the system-specific configuration. To hash files for a common configuration, you would use APACHE$COMMON instead.

You can verify the existence of the hashed file in the directory you selected. For example:

$ DIR APACHE$COMMON:[CONF.SSL_CRT]

Directory APACHE$COMMON:[CONF.SSL_CRT]

AE0FEDEE.0;4 DELETE_HASH_FILES.COM;1 SERVER_CA.CRT;4

Total of 3 files.

Hash certificate revocations

This command is required to PEM-encode third-party certificates revocation lists (CRLs) and ones you create using the OpenSSL command line. The mod_ssl directives related to managing client revocation lists (SSLCARevocationPath and SSLCARevocationFile) require hashed CRL files in order to work.

1. Install a trusted root CA's CRL file or create your own using the $ OPENSSL CA command.

2. Enter the path in which you have installed your CRL files.

By default, the location is: APACHE$ROOT:[CONF.SSL_CRL]*.CRL

3. Press the Return key to hash the CRL files at the specified location.

This example would hash the *.CRL files found in the system-specific configuration. If you wanted to hash files for a common configuration, you would use APACHE$COMMON instead.

You can verify the existence of the hashed file in the directory you selected. For example:

$ DIR APACHE$SPECIFIC:[CONF.SSL_CRL]

Directory APACHE$SPECIFIC:[CONF.SSL_CRL]

AE0FEDEE.R0 CA-BUNDLE.CRL DELETE_HASH_FILES.COM

Total of 3 files.