Setting up private keys and certificates
About this task
To use SSL authentication
on a workstation, you need to create and install the following:
- The private key and the corresponding certificate that identify the workstation in an SSL session.
- The list of certificate authorities that can be trusted by the workstation.
Use the openssl command
line utility to:
- Create a file containing pseudo random generated bytes (TWS.rnd). This file is needed on some operating systems for SSL to function correctly.
- Create a private key.
- Save the password you used to create the key into a file.
- Create a Certificate Signing Request.
- Send this Certificate Signing
Request (CSR) to a Certifying Authority (CA) for signing, or:
- Create your own Certificate Authority (CA)
- Create a self-signed CA Certificate (X.509 structure) with the RSA key of your own CA
- Use your own Certificate Authority (CA) to sign and create real certificates
These actions will produce the following files
that you will install on the workstation(s):
- A private key file (for example, TWS.key). This file should be protected, so that it is not stolen to use the workstation's identity. You should save it in a directory that allows read access to the TWS user of the workstation, such as TWA_home/TWS/ssl/TWS.key.
- The corresponding certificate file (for example, TWS.crt). You should save it in a directory that allows read access to the TWS user of the workstation, such as TWA_home/TWS/ssl/TWS.crt.
- A file containing a pseudo-random generated sequence of bytes. You can save it in any directory that allows read access to the TWS user of the workstation, such as TWA_home/TWS/ssl/TWS.rnd.
In addition, you should create the following:
- A file containing the password used to encrypt the private key. You should save it in a directory that allows read access to the TWS user of the workstation, such as TWA_home/TWS/ssl/TWS.sth.
- The certificate chain file. It contains the concatenation of the PEM-encoded certificates of certification authorities which form the certificate chain of the workstation's certificate. This starts with the issuing CA certificate of the workstation's certificate and can range up to the root CA certificate. Such a file is simply the concatenation of the various PEM-encoded CA certificate files, usually in certificate chain order.
- The trusted CAs file. It contains the trusted CA certificates to use during authentication. The CAs in this file are also used to build the list of acceptable client CAs passed to the client when the server side of the connection requests a client certificate. This file is simply the concatenation of the various PEM-encoded CA certificate files, in order of preference.