6.13.2 Setting up an SSL communication environment on the server side
This subsection describes how to create a private key required on the server side for using SSL communication, and how to issue a server certificate and root certificate. The procedure is as follows:
-
Creating a private key
-
Creating a CSR (certificate signing request)
-
Issuing a server certificate and root certificate
-
Locating the private key, server certificate, and root certificate
Use commands of OpenSSL to create a private key and CSR. For details about the commands, see openssl in 15. Commands.
- Organization of this subsection
(1) Creating a private key
-
Execute the openssl genrsa command to create a private key.
Create a private key whose length is 2,048 bits. An example of command execution is as follows:
openssl genrsa -out private-key-file-name
(2) Creating a CSR (certificate signing request)
-
Execute the openssl req command to create a CSR.
Create a CSR with the created private key specified. In the following example of command execution, a CSR for a certificate whose effective period is one year is created.
openssl req -new -days 365 -key private-key-file-name -out CSR-file-name
-
Enter the DN (distinguished name) to be registered in the certificate interactively.
Input example of the command prompt window:
C:\Program Files (x86)\Hitachi\JP1Base\ssl_\32mt\bin>openssl req -new -days 365 -key server.key -out server.csr Loading 'screen' into random state - done You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Kanagawa Locality Name (eg, city) []:Yokohama Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hitachi Organizational Unit Name (eg, section) []:JP1 Common Name (e.g. server FQDN or YOUR name) []:hostjp1.example.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
The CSR is created.
(3) Requesting the issuance of a server certificate and root certificate
Submit the created CSR to the CA (certificate authority) to request the CA to issue a server certificate and root certificate.
(4) Locating the private key, server certificate, and root certificate
Store the private key, server certificate, and root certificate in a folder on the server side. Note that you must match the storage location and file name of each file to those defined in the SSL communication definition file created in 6.13.4 Setting up the communication encryption function of JP1/Base.