Problem:
What is the correct procedure for setting the passphrase of my choice when creating the server's private key file when I run the DemoCA tutorial?
Before answering the question, here is some background:
When you first install DemoCA (using DemoCA_setup), you are presented with a form to complete. Those become the DN components. For each certificate that you create, the DN components need to be unique.
When you execute create_srv_req.cmd you are also prompted for some values, which also become DN components. So, when entering this set of values, change at least one of the DN components from what you entered when installing DemoCA.
You are asked to enter a passphrase during this process.
After executing the create_srv_req.cmd you run the sign_srv.cmd. During this part, you are prompted for a passphrase again. Here's the crucial point in this step: sign_srv.cmd does not ask for the passphrase for the server's key. In fact, that would be a huge security exposure; the whole point of the certificate request is that the CA never knows the server's private key (or its passphrase, though that's not technically part of the key anyway and can be changed any time).
What sign_srv.cmd is asking for is the passphrase for the CA's private key. That was set by the installer, and is always "srvrootpwd" (the default), unless you delete the CA created by the DemoCA installer and create a new one, or re-encrypt the CA's private key file manually. Micro Focus does not provide any instructions along those lines.
Resolution:
So, for the answer, the correct procedure is this:
1 . Run create_srv_req.cmd.
2. Use the passphrase of your choice for the server's private key file.
3. Make sure the DN components you enter differ from any other set of DN components you've used with this instance of DemoCA. You can look at the index.txt file to see which DNs have been used.
4. Run sign_srv.cmd.
5. Make sure the passphrase you enter is "srvrootpwd", unless you've managed to change the passphrase for the CA's private key. This passphrase is NOT the one used for the server's private key.
You can verify the key and the certificate by using the openssl utility. Specifically, you can do this:
1.The command "openssl rsa -in srvkey.pem -noout -modulus" prompts for the server key file passphrase. Enter the passphrase that you provided to create_srv_req.cmd. If you don’t get an error, then you have confirmed this is the correct passphrase.
The key’s modulus is displayed (it is several lines of hexadecimal).
You can run this command from the DemoCA folder.
2. The command "openssl x509 -in srvcert.pem -noout -modulus" displays the modulus from the server certificate. Confirm visually that this matches the modulus from the previous command, which means that there is a high probability that the private key in servkey.pem matches the public key in srv.pem.
You can run this command from the DemoCA folder.
#EnterpriseDeveloper
#MFDS
