Resolution:
Description:
= = = = = =

Using openSSL to create certificates.  Refer to http://www.openssl.org/docs/apps/openssl.html.

Pre-requirement:

You should modify the openssl.cfg file as needed.

Creating self-signed root CA certificate:

1). If creating multiple certificates signed by the same CA, use the "ca" option.

- Create self-signed root CA certificate:

openssl req -new -keyout cakey.pem -out careq.pem
openssl ca -create_serial -out cacert.pem  -keyfile cakey.pem -selfsign -extensions v3_ca -in careq.pem
 

Note: The key file (cakey.pem) is protected by a password. If you need to sign multiple requests at one time, use the "-infiles" option rather than the "-in" option.

Other options to use: -startdate, -enddate, -days, etc.

- Create server certificate request:

openssl req -new -keyout server.key.pem -out server.csr

Note: Refer to the steps below for how to create server certificate requests (server.csr).

- Sign the request using CA:

openssl ca -in server.csr -out server.cert.pem -keyfile cakey.pem -cert cacert.pem

Note: cacert.pem is the server_root.cert.pem

2). Instead step 1 above, you can also use the steps below to create certificates.  

openssl genrsa -out server_root.key.pem
openssl req -new -key server_root.key.pem -x509 -out server_root.cert.pem

Note: Or use one command instead:
openssl req -new -keyout server_root.key.pem -x509 -out server_root.cert.pem

- Create server certificate request:

openssl genrsa -out server.key.pem
openssl req -new -key server.key.pem -out server.csr

Note: Or use one command instead:
openssl req -new -keyout server.key.pem -out server.csr

- Sign the request using CA:

openssl x509 -req -in server.csr -CAcreateserial -CA server_root.cert.pem -CAkey server_root.key.pem -out server.cert.pem

Note: The server key file "server.key.pem" is protected by a password (i.e., password1)
Other options to use: -days,etc.

3). You can create certificates for the client using the steps described above. For example, you already created client.cert.pem, client.key.pem, and client_root.cert.pem.  

- Create p12 file for the client.

openssl pkcs12 -export -in client.cert.pem -inkey client.key.pem -out client.p12

Note: You need to enter a password when creating p12 file (i.e., password2).
Other options to use: -name, etc.

4). Configuration in EMS:

In tibemsd.conf:

ssl_server_identity     = C:\TIBCO\ems\<version number>\bin\testcert\server.cert.pem
ssl_server_key          = C:\TIBCO\ems\<version number>\bin\testcert\server.key.pem
ssl_password            = password1

ssl_trusted             = C:\TIBCO\ems\<version number>\bin\testcert\client_root.cert.pem

In the client:

-ssl_trusted server_root.cert.pem
-ssl_identity client.p12
-ssl_password password2

5). To examine the certificates, run the following command:

openssl x509 -in server.cert.pem -text -noout
openssl pkcs12 -in file.p12 -info
openssl pkcs12 -in file.p12 -info -nokeys

Environment:
= = = = = =
ALL

Keywords/Tags:
= = = == = = =
certificates

Creating certificates to be used for SSL configuration in EMS.