$! $! SSL3$EXAMPLES_SETUP.COM -- $! $! This command procedure is actually a template that will show $! the commands necessary to create certificates and keys for the example $! programs. $! $! Also included in this file are the necessary options to enter into the $! SSL3$CERT_TOOL.COM to create the necessary certificates and keys to the $! example programs. The SSL3$CERT_TOOL.COM is found in SSL3$COM. See the $! documenation for more information about the SSL3$CERT_TOOL.COM. $! $! 1. Create CA certificate - option 5 in SSL3$CERT_TOOL.COM. $! This will create a key in one file, named SSL3$PRIVATE:SERVER_CA.KEY $! by default, and a certificate in another file, named $! SSL3$ROOT[DEMOCA]:SERVER_CA.CRT by default. $! $! 2. Make 2 copies of CA certificate created in step #1. $! One should be called SERVER_CA.CRT and the other called $! CLIENT_CA.CRT as these are the filenames defined in the $! example programs. You will have to exit the SSL3$CERT_TOOL.COM $! procedure to do this operation from the DCL command line. $! For example: $! $ COPY SSL3$PRIVATE:SERVER_CA.KEY SSL3$PRIVATE:CLIENT_CA.KEY $! $ COPY SSL3$ROOT[DEMOCA]:SERVER_CA.CRT SSL3$ROOT[DEMOCA]:CLIENT_CA.CRT $! $! 3. Create a server certificate signing request - option 3 in SSL3$CERT_TOOL.COM. $! The Common Name should be the TCP/IP hostname of the server system. $! The default name of the request is SERVER.CSR. The corresponding private $! key is named SERVER.KEY. $! $! 4. Sign server certificate signing request - option 6 in SSL3$CERT_TOOL.COM $! Use the CA certificate, SERVER_CA.CRT, created in step #1 to sign the request $! created in step #3. This will create a certificate file, which should be $! named SERVER.CRT. This is the name as it is defined in example programs. $! $! 5. Create a client certificate signing request - option 3 in SSL3$CERT_TOOL.COM. $! $! 6. Sign client certificate signing request - option 6 in SSL3$CERT_TOOL.COM $! Use the CA certificate, CLIENT_CA.CRT, created in step #1 to sign the request $! created in step #5. This will create a certificate file, which should be $! named CLIENT.CRT. This is the name as it is defined in example programs. $! $! 7. These certificates and keys should reside in the same directory as $! the example programs. $! $! $! $! $! The commands have been changed to use generic data as $! input. To use these commands, one will have to substitute $! the generic data with data specific to their site. $! For example, yourcountry could be change to US. It is $! assumed that the SSL startup file, SYS$STARTUP:SSL3$STARTUP.COM, $! and the SSL3$COM:SSL3$UTILS.COM procedures have been executed. $! $! $! Check to make sure SSL has been started, so $! we can use the logicals that it defines. $! $ if f$trnlnm("SSL3$ROOT") .eqs. "" $ then $ write sys$output "SSL needs to be started. Execute @SYS$STARTUP:SSL3$STARTUP," $ write sys$output "then try this procedure again." $ endif $! $! Check to make sure SSL3$UTILS has been executed, so $! we can use the foreign commands that it sets up. $! $ if f$type(OPENSSL) .eqs. "" $ then $ @SSL3$COM:SSL3$UTILS $ endif $! $! Check to make sure the SERIAL and INDEX files exist. $! If they don't, create them. $! $ if f$search ("SSL3$ROOT:[DEMOCA]SERIAL.TXT") .eqs. "" $ then $ CREATE SSL3$ROOT:[DEMOCA]SERIAL.TXT 01 $ endif $! $ if f$search ("SSL3$ROOT:[DEMOCA]INDEX.TXT") .eqs. "" $ then $ CREATE SSL3$ROOT:[DEMOCA]INDEX.TXT $ endif $! $! Create the CA certificate. $! $ define/user sys$command sys$input $ openssl req -config ssl3$root:[000000]openssl-vms.cnf -new -x509 -days 1825 - -keyout ssl3$key:server_ca.key -out ssl3$certs:server_ca.crt yourpassword yourpassword yourcountry yourstate yourcity yourcompany yourdepartment your Certificate Authority certificate firstname.lastname@yourcompany.com $! $! Copy the server_ca.* to client_ca.* so that the CA can $! be loaded on each side. $! $ copy ssl3$key:server_ca.key ssl3$key:client_ca.key $ copy ssl3$certs:server_ca.crt ssl3$certs:client_ca.crt $! $! $! $! Create the server certificate request. $! $! Note : There is no way to use the value of a $! symbol when you are using the value of $! symbol as input, as we do below. To get $! around, we create a .COM on the fly and $! execute the created .COm file to create $! the server certificate. $! $ hostname = f$trnlnm("tcpip$inet_host") $ domain = f$trnlnm("tcpip$inet_domain") $ server_name = hostname + "." + domain $! $ open/write s_com create_s_cert.com $! $ write s_com "$!" $ write s_com "$ define/user sys$command sys$input" $ write s_com "$ openssl req -new -nodes -config ssl3$root:[000000]openssl-vms.cnf " - + "-keyout ssl3$key:server.key -out ssl3$certs:server.csr" $ write s_com "yourcountry" $ write s_com "yourstate" $ write s_com "yourcity" $ write s_com "yourcompany" $ write s_com "yourdepartment" $ write s_com "''server_name'" $ write s_com "firstname.lastname@yourcompany.com" $ write s_com "" $ write s_com "" $! $ close s_com $ @create_s_cert $ delete create_s_cert.com; $! $! $! Now, sign the server certificate ... $! $ define/user sys$command sys$input $ openssl ca -config ssl3$root:[000000]openssl-vms.cnf -cert ssl3$certs:server_ca.crt -keyfile ssl3$key:server_ca.key - -out ssl3$certs:server.crt -infiles ssl3$certs:server.csr yourpassword Y Y $! $! $! Create the client certificate request. $! $ define/user sys$command sys$input $ openssl req -new -nodes -config ssl3$root:[000000]openssl-vms.cnf - -keyout ssl3$key:client.key -out ssl3$certs:client.csr yourcountry yourstate yourcity yourcompany yourdepartment yourname firstname.lastname@yourcompany.com $! $! $! Now, sign the client certificate ... $! $ define/user sys$command sys$input $ openssl ca -config ssl3$root:[000000]openssl-vms.cnf -cert ssl3$certs:client_ca.crt -keyfile ssl3$key:client_ca.key - -out ssl3$certs:client.crt -infiles ssl3$certs:client.csr yourpassword Y Y $! $! Let's view the CA certificate. $! $ openssl x509 -noout -text -in ssl3$certs:server_ca.crt $! $! $! Let's view the Server Certificate Request. $! $ openssl req -noout -text -in ssl3$certs:server.csr $! $! Let's view the Server Certificate. $! $ openssl x509 -noout -text -in ssl3$certs:server.crt $! $! Let's view the Client Certificate Request. $! $ openssl req -noout -text -in ssl3$certs:client.csr $! $! Let's view the Client Certificate. $! $ openssl x509 -noout -text -in ssl3$certs:client.crt $! $! $! Lastly, move the certificates and keys to the directory $! in which you are building/running the examples. $! $exit