What is a CA (certificate authority) and how do I configure my own CA used to self-sign openssl certificates?

Dominique Sacre · 2013-10-18T16:06:00+00:00

Summary This article clarifies how to set up your own certificate authority used to self-sign certificates Environment Orbix 3.3 All Supported Operating Systems Question/Problem Description What is a CA (certificate authority) and how do I configure my own CA used to self-sign openssl certificates? Clarifying Information Using Orbix in secure mode requires that clients/servers exchange openssl digital certificates to authenticate the authenticity of one another. Error Message Defect/Enhancement Number Cause Resolution A CA (certificate authority) is a trusted authority which signs certificates. A CA essentially confirms the identity of the public key value in a certificate. A certificate is signed by a CA. The private key of the CA is essentially burned on to a certificate. A certificate can be created for a specific service within an application. In order to Set up your own self signed CA and private key please follow the steps below.In the openssl.cnf file (ssleay.cnf in some earlier versions of Orbix 3.3.*), located in the Orbix config directory, under the [ CA_default ] header you will need to modify the certificate and private key fields. For example to create a CA named demo_ca modify the following settings in openssl.cnf (or ssleay.cnf) in the [ CA_default ] section: certificate = $dir/ca/demo_caprivate_key = $dir/ca/demo_ca.pkSave the file and then use the openssl command as follows: openssl req -x509 -new -config <Orbix config dir>/openssl.cnf -days 3650 -out <OrbixSSL certificates dir>/ca/demo_ca.pem -keyout <OrbixSSL certificates dir>/ca/demo_ca_pk.pem The above command prompts you for a pass phrase for the CA private key and details of the CA distinguished name (Country Name, State or Province Name, Locality Name, Organization Name, Organizational Unit, Common Name, Email Address). After executing the command above the CA certificate demo_ca.pem and the private key file demo_ca_pk.pem will be stored in <OrbixSSL certificates dir>/ca/ directory. Note that the security of the CA depends on the security of the private key file and private key pass phrase used in the above step. Add the newly created CA certificate to the file specified in the configuration variable IT_CA_LIST_FILE in the OrbixSSL configuration file located in <Orbix config dir>/orbixssl.cfg on each host that runs secure applications: OrbixSSL{... IT_CA_LIST_FILE = _ca_lists_path "demo_ca_list_1"; ... }; In the example above, you will need to edit the file called demo_ca_list_1 and add the certificate stored in demo_ca.pem. Do not copy the CA private key to the hosts where you are running the applications. In the Orbix config directory, edit the file openssl.cnf (or ssleay.cnf in earlier versions of Orbix 3.3). Change the values of the certificate and private_key settings to the location of the files demo_ca and demo_ca_pk.pem respectively. In addition, change the value of new_certs_dir, database and serial, if necessary. For example: # openssl.cnfdir = /progress/newcertscerts = $dircertificate = $certs/ca/demo_ca.pemprivate_key = $certs/ca/demo_ca_pk.pemnew_certs_dir = $certsdatabase = $certs/index.txtserial = $certs/serial... You are now ready to sign certificates with your new CA. Workaround Notes For further details, please see chapter "Managing certificates" in the "OrbixSSL C Programmer’s and Administrator’s Guide" or "OrbixSSL Java Programmer’s and Administrator’s Guide" available at http://supportline.microfocus.com/productdoc.aspx Attachment #Orbix#Orbix3#Security#KnowledgeDocs

Summary	This article clarifies how to set up your own certificate authority used to self-sign certificates
Environment	Orbix 3.3 All Supported Operating Systems
Question/Problem Description	What is a CA (certificate authority) and how do I configure my own CA used to self-sign openssl certificates?
Clarifying Information	Using Orbix in secure mode requires that clients/servers exchange openssl digital certificates to authenticate the authenticity of one another.
Error Message
Defect/Enhancement Number
Cause
Resolution	A CA (certificate authority) is a trusted authority which signs certificates. A CA essentially confirms the identity of the public key value in a certificate. A certificate is signed by a CA. The private key of the CA is essentially burned on to a certificate. A certificate can be created for a specific service within an application. In order to Set up your own self signed CA and private key please follow the steps below. In the openssl.cnf file (ssleay.cnf in some earlier versions of Orbix 3.3.*), located in the Orbix config directory, under the [ CA_default ] header you will need to modify the certificate and private key fields. For example to create a CA named demo_ca modify the following settings in openssl.cnf (or ssleay.cnf) in the [ CA_default ] section: certificate = $dir/ca/demo_ca private_key = $dir/ca/demo_ca.pk Save the file and then use the openssl command as follows: openssl req -x509 -new -config <Orbix config dir>/openssl.cnf -days 3650 -out <OrbixSSL certificates dir>/ca/demo_ca.pem -keyout <OrbixSSL certificates dir>/ca/demo_ca_pk.pem The above command prompts you for a pass phrase for the CA private key and details of the CA distinguished name (Country Name, State or Province Name, Locality Name, Organization Name, Organizational Unit, Common Name, Email Address). After executing the command above the CA certificate demo_ca.pem and the private key file demo_ca_pk.pem will be stored in <OrbixSSL certificates dir>/ca/ directory. Note that the security of the CA depends on the security of the private key file and private key pass phrase used in the above step. Add the newly created CA certificate to the file specified in the configuration variable IT_CA_LIST_FILE in the OrbixSSL configuration file located in <Orbix config dir>/orbixssl.cfg on each host that runs secure applications: OrbixSSL { ... IT_CA_LIST_FILE = _ca_lists_path "demo_ca_list_1"; ... }; In the example above, you will need to edit the file called demo_ca_list_1 and add the certificate stored in demo_ca.pem. Do not copy the CA private key to the hosts where you are running the applications. In the Orbix config directory, edit the file openssl.cnf (or ssleay.cnf in earlier versions of Orbix 3.3). Change the values of the certificate and private_key settings to the location of the files demo_ca and demo_ca_pk.pem respectively. In addition, change the value of new_certs_dir, database and serial, if necessary. For example: # openssl.cnf dir = /progress/newcerts certs = $dir certificate = $certs/ca/demo_ca.pem private_key = $certs/ca/demo_ca_pk.pem new_certs_dir = $certs database = $certs/index.txt serial = $certs/serial ... You are now ready to sign certificates with your new CA.
Workaround
Notes	For further details, please see chapter "Managing certificates" in the "OrbixSSL C Programmer’s and Administrator’s Guide" or "OrbixSSL Java Programmer’s and Administrator’s Guide" available at http://supportline.microfocus.com/productdoc.aspx
Attachment

#Orbix
#Orbix3
#Security
#KnowledgeDocs

Sign up

Please log in or register:

Welcome to the Rocket Forum!

Please log in or register:

Scanning file for viruses.

This file cannot be downloaded