HP NonStop SSL Reference Manual page 104

3. Convert the PEM format certificate to DER format. The file "cacert.der" will contain the CA certificate in DER
format.
openssl x509 -inform PEM -outform DER -in ca\cacert.pem -out ca\cacert.der
The "ca" directory now should contain three files: cacert.pem, cakey.pem, and the root certificate cacert.der.
To Generate the Server Certificate
1. First, generate the private key for the server certificate and assign a pass phrase to be used later as value of the
SERVKEYPASS parameter. SSL encryption is based on public key cryptography and always uses a pair of
keys: the private key (generated in this step) and the public key encapsulated in the certificate. The following
command will generate a 4096 bit RSA private key which will be encrypted with the AES256 algorithm. The
file generated is "servkey.pem" where the extension "pem" indicates PEM formatting.
openssl genrsa -aes256 -out server\servkey.pem 4096
2. Create the certificate signing request (CSR). Enter the pass phrase from (1) and supply Country Name, State or
Province Name, Locality Name, Organization Name, Organizational Unit Name, Common Name, and Email
Address. Defaults can be specified in the config file (as in the example). Be sure to list the registered fully
qualified domain name of your server (or your IP address if you don't have one) in the Common Name (CN)
field. This field must be different from the CN field in the CA certificate or else a naming collision will occur
and you'll get errors later on. You can skip the Challenge Password and Optional Company Name prompts.
openssl req -out server\csr.pem -new -key server\servkey.pem
3. Convert the key to PKCS#8 DER format. Specify the pass phrase given in (1) and enter an Encryption
Password. You can make the encryption password the same as the pass phrase. The following command will
produce the server private key file "servkey.der" in DER format.
openssl pkcs8 -topk8 -outform DER -in server\servkey.pem -out server\servkey.der
If the signing request will be submitted to a CA authority, skip to step (6) after having received the signed
server certificate from the CA and placed it in directory "server" as "servcert.pem" (assuming it was returned in
PEM format). The CA root certificate received should be placed in directory "ca" as cacert.pem, and then
converted to DER format using step (3) from "To Generate the CA Certificate".
4. In the base directory "OpenSSL_certificates", create an empty text file with the name given in the config file
directive "database". Also create a file with the name given in the directive "serial", and add a single line
containing a 2-digit hexadecimal serial number (i.e. "01").
The serial number is used in the signed server certificate. Each time you generate a new certificate, especially
before a previously-signed certificate expires, you willl need to increase the serial number by one. Note that it
must be a hexadecimal number.
5. Sign the new CSR with the CA key. Specify the pass phrase given for the root certificate. A signed server
certificate "servcert.pem" with a 365 day validity will be generated.
openssl ca -days 365 -policy policy_anything -keyfile ca\cakey.pem -cert ca\cacert.pem
-in server\csr.pem -out server\servcert.pem
6. Convert the signed certificate to DER format. A file named "servcert.der" will be generated by the following
command.
openssl x509 -inform PEM -outform DER -in server\servcert.pem -out server\servcert.der
The directory "server" should now contain files csr.pem, servkey.pem, servcert.pem, servcert.der, and
servkey.der. There will be a file 01.pem in the "newcerts" directory if "new_certs_dir = newcerts" was given in
the config file. It is identical to servcert.pem in the "server" directory.
7. Transfer the files CACERT, SERVCERT and SERVKEY to the NonStop server. Be sure to select binary
transfer mode. Note that the private key file SERVKEY must NOT be transferred over a plain connection such
as FTP. If NonStop SSL is not already installed, it is recommended to use SFTP for certificate/key transfers.
104 • SSL Reference
HP NonStop SSL Reference Manual