I notice Rocket is including a copy of OpenSSL 1.0.2c in their ported tools Curl download. With the recent talk about negative aspects of using self signed certs, I attempted to see if that OpenSSL could be used to generate a root certificate and a user cert chained to that root cert. Looks like it only takes 5 or 6 commands:
#!/bin/sh export CA_NAME=acme.domain.ca export SSL_HOME=/home/user123/openssl export OPENSSL_CONF=/home/user123/openssl/conf/openssl.cfg export SSL_USER=USER123 export SSL_SER=1234 # # Generate CA Root Cert openssl genrsa -out $SSL_HOME/certs/$CA_NAME.key 2048 openssl req -new -x509 -days 5000 -extensions v3_ca -key $SSL_HOME/certs/$CA_NAME.key -out $SSL_HOME/certs/$CA_NAME.pem # # Generate User Cert in pem and pkcs12 formats openssl genrsa -out $SSL_HOME/certs/$SSL_USER.key 2048 openssl req -new -sha256 -reqexts v3_csr -key $SSL_HOME/certs/$SSL_USER.key -out $SSL_HOME/certs/$SSL_USER.csr openssl x509 -req -sha256 -extfile $OPENSSL_CONF -extensions v3_req -days 730 -in $SSL_HOME/certs/$SSL_USER.csr -CA $SSL_HOME/certs/$CA_NAME.pem -CAkey $SSL_HOME/certs/$CA_NAME.key -set_serial $SSL_SER -out $SSL_HOME/certs/$SSL_USER.pem openssl pkcs12 -export -in $SSL_HOME/certs/$SSL_USER.pem -inkey $SSL_HOME/certs/$SSL_USER.key -out $SSL_HOME/certs/$SSL_USER.p12 -password file:$SSL_HOME/password.txt # End The PKCS12 certificate created was successfully tested using Curl FTPS. Note that the password.txt file must be in ASCII, not EBCDIC. Only other task is to prepare an openssl.cfg file [ and for IBM to include a working example in their manual(s) ]. I did have a problem trying to define crlDistributionPoints and authorityInfoAccess due to probable ASCII/EBCDIC issues. But those items aren't needed for basic testing. -- Donald J. [email protected] -- http://www.fastmail.com - Send your email first class ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
