Archived Content: This information is no longer maintained and is provided "as is" for your convenience.
Summary
Question
Many users have asked to be able to generate SSL certificates easily for various BTO products. Initially we had the SC-SM SSL certificate generator only for creating certificates for ServiceCenter and Service Manager. This is the first version of the BTO SSL certificate generator that has more options, and supports newer versions of OPENSSL and Java.
The following new features are present in this version :
-
OPENSSL 1.0.1c 32-bit, and 64-bit executable and dll's included,
-
Supports and needs Java 6, either 32- or 64-bit, preferably version 1.6.0_37,
-
Can now generate both DSA and RSA type SSL certificates:
-
DSA keys default 1.024-bit, with SHA1withDSA hash,
-
RSA keys default 2.048-bit, with SHA512withRSA hash,
-
-
PKCS12 key for use with MS IIS to enable web server encryption,
-
PEM encoded private key and certificate for use with Apache httpd to enable web server encryption,
-
JKS keystore for use with Tomcat to enable web app server encryption,
This new version of the SSL certificate generator has been tested on Windows Server 2008 R2 64-bit, with OPENSSL 1.0.0e, 32- and 64-bit, and Java 1.6.0_37, 64-bit.
Answer
This document is for advanced users only ! Expert knowledge on Windows, batch file usage and general SSL encryption is required to be able to use this certificate generator.
This quick user guide is written to be used with files from the BTO_Cert_Gen_v1.0_2012-12-18, and by default uses the 32-bit version of OPENSSL and the associated .dll files, ssleay32.dll,
and libeay32.dll.
If the 64-bit version of OPENSSL is to be used, the 32-bit files need to be renamed to *.old, and the *_x64 files need to be renamed to openssl.exe, ssleay32.dll, and libeay32.dll.
There are no ssleay64.dll and libeay64.dll files, nor is there an openssl64.exe.
- download the attached BTO_Cert_Gen_v1.0_2012-12-18.zip attached to this KM document,
- extract the files to a directory, for example: C:\Program Files\BTO SSL Certificate Generator\,
- set the following Windows Environment variable, depending upon whether you want to create DSA or RSA type certificates:
OPENSSL_CONF %install_path%\DSA\openssl.conf (for DSA type certificates)
OPENSSL_CONF %install_path%\RSA\openssl.conf (for RSA type certificates)
- configure the openssl.conf for the [ req_distinguished_name ] section to set the values for the your specific DN for your certificate. Only change the following parameters:
countryName_default
stateOrProvinceName_default
localityName_default
0.organizationName_default
organizationalUnitName_default
commonName_default
emailAddress_default
- open the respective DSA or RSA server batch files and set the following parameters to make the certificate generators work:
set JAVA_HOME="<home directory of the Java JRE>"
set DIST_NAME="CN=%1, OU=<department name>, O=<organisation name>, L=<city name>, S=<state/province name>, C=<2 digit country code>"
- open the respective DSA or RSA client batch files and set the following parameters to make the certificate generators work:
set JAVA_HOME="<home directory of the Java JRE>"
set DIST_NAME="CN=%1, OU=<department name>, O=<organisation name>, L=<city name>, S=<state/province name>, C=<2 digit country code>"
- first run the server certificate generator, either server_cert_gen_DSA_v2.0.bat for DSA type certificates, or server_cert_gen_RSA_v2.0.bat for RSA type certificates.
The server batch file needs to be run with two input parameters, %1 and %2, that specifies the FQDN of the server machine for which the server certificates are being created and the BTO product code.
Run the batch file as such:
<C:\..\prompt>server_cert_gen_DSA/RSA_v2.0 <FQDN of the server machine> <BTO product code>
- when asked for the DN values, either accept the default values as set in the openssl.conf file, or fill in a user-defined values for each parameter,
- on all other questions answer yes,
- in general, you only need to run the server batch file once per server. If you are creating certificates for a horizontally scaled system then you need to run the server batch file for each
server. For each distinctive server, a new folder with the FQDN of the server as name will be created in the respective DSA or RSA folder,
- after having run the server certificate generator, run the client certificate generator, either client_cert_gen_DSA_v2.0.bat for DSA type certificates, or client_cert_gen_RSA_v2.0.bat for RSA
type certificates. The client batch file needs to be run with three input parameters: %1, %2 and %3 that specify the FQDN of the client machine for which the client certificate is being created, the
FQDN of the server machine this client connects to and the BTO product code.
Run the batch file as such:
<C:\..\prompt>client_cert_gen_DSA/RSA_v2.0 <FQDN of the client machine> <FQDN of the server machine> <BTO product code>
- answer yes to all questions,
- run the client batch file as many times as necessary for each client that needs a client certificate. For the web client you only need one certificate per web app server. For the Eclipse
client, each individual client machine needs an unique certificate,
- after having run both the server and client certificate generators, you will find the appropriate files in the <FQDN>\certs and <FQDN>\key directories of the repsective \DSA or \RSA folder:
\<FQDN> (<BTO product code>)
\certs
cacerts JKS root certificate keystore file for use with BTO server and clients,
mycacert_DSA/RSA.pem PEM encoded root CA certificate,
mycacert_DSA/RSA.srl root CA certificate serial file,
<FQDN>_Apache_web_DSA/RSA.pem PEM encoded private key
<FQDN>_Apache_web_DSA/RSA.crt PEM encoded certificate for use with Apache HTTPD,
<FQDN>_IIS_web_cert_DSA/RSA.pfx PKCS12 certificate for use with IIS,
<FQDN>_BTOclientpubkey_DSA/RSA.crt public key file of BTO client,
<FQDN>_BTOclientcert_DSA/RSA.pem PEM encoded certificate of BTO client,
<FQDN>_BTOservercert_DSA/RSA.pem PEM encoded certificate of BTO server,
\<FQDN> (<BTO product code>)
\csr
<FQDN>_Apache_web_DSA.csr certificate signing request file for Apache HTTPD,
<FQDN>_BTOclientcert_request_DSA/RSA.csr certificate signing request file for BTO client,
<FQDN>_BTOservercert_request_DSA/RSA.csr certificate signing request file for BTO server,
\<FQDN> (<BTO product code>)
\key
cakey_DSA/RSA.pem root CA private key file,
dsaparam.pem DSA key parameter file,
<FQDN>_Apache_web_DSA/RSA.key private key for use with Apache HTTPD,
<FQDN>_BTOCLIENT_DSA/RSA.keystore JKS client keystore with client certificate for use with BTO client,
<FQDN>_BTOSERVER_DSA/RSA.keystore JKS server keystore with server certificate for use with both BTO server and Tomcat,
trustedclients.keystore trusted clients keystore with all client certificates for use with BTO server,
- copy the abovementioned files to their respective directories in the BTO server and BTO client directories, Tomcat and Apache configuration directories and import the IIS certificate
into Windows,
With these files the BTO software product is ready to be configured for SSL encryption between the server and the client. For further configuration of the BTO software products follow the appropriate documentation.