Hitachi

JP1 Version 12 JP1/Navigation Platform Setup and Operations Guide

4.10.2 Procedure for creating files required for HTTPS communication

This section describes the procedure for creating files required for HTTPS communication.

Important

The backup/restore commands cannot be used with files created using this procedure. Always make sure to acquire a backup. We recommend that you acquire a backup of certificate signing requests (CSR), and other files not required when setting up or starting Navigation Platform, as necessary.

Organization of this subsection

(1) File creation procedure when issuing server certificates from a CA (certificate authority)

Specify the following values in the user setup property file (ucnp_setup_user.properties):

  1. Perform the following procedure for each encryption method required:

    • Create a private server key.

    • Create a password file.

    • Create a certificate signing request (CSR).

    • Send the certificate signing request (CSR) to the CA.

    • Receive the server certificate, CA certificate from the CA.

  2. Place the private server key, password file, server certificate, and CA certificate.

To Page Top

(2) File creation procedure when creating a self-signed certificate for verification purposes

Specify the following values in the user setup property file (ucnp_setup_user.properties):

  1. Perform the following procedure for each encryption method required:

    • Create a private server key.

    • Create a password file.

    • Create a certificate signing request (CSR).

    • Create a self-signed certificate.

  2. Place the private server key, password file, and server certificate.

To Page Top

(3) Procedure to create a private server key (RSA encryption method)

Create a PKCS#1 format private web server key using RSA encryption.

Files will be overwritten by the output file without prior confirmation upon command execution. Back up the existing file before executing the command, if necessary.

  1. Run the following command to create an encrypted private server key (PKCS#1 format).

    Format

    "Navigation-Platform-installation-directory\PP\uCPSB\httpsd\sbin\openssl.bat" genrsa -rand file-path-for-random-number-generation type-of-encryption-used-for-private-key -out output-path-of-private-server-key-file bit-length-of-private-key

    Parameter

    • file-path-for-random-number-generation: Path of any file used for random number generation

      Specify a file of a sufficiently large size for random number generation.

    • type-of-encryption-used-for-private-key: -des or -des3

      If -des is specified, DES (Data Encryption Standard) will be selected as the encryption type.

      If -des3 is specified, Triple DES will be selected as the encryption type.

      This parameter is irrelevant to the type of encryption for communication between the web server and web browsers.

    • output-path-of-private-server-key-file:

      "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\httpsdkey.pem" (fixed)

    • bit-length-of-private-key: 2048 (fixed)

    Cautionary note:

    Users will be prompted to enter the pass phrase twice when the command is executed. Enter the same pass phrase twice, from 4 to 64 characters in length. Note that an error will not occur even if a pass phrase of 65 characters or longer is entered.

    Take a note of the pass phrase entered as this will be used again when executing other commands.

    Command execution example

    "%UCNP_HOME%\PP\uCPSB\httpsd\sbin\openssl.bat" genrsa -rand "C:\Windows\System32\notepad.exe" -des -out "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\httpsdkey.pem" 2048

To Page Top

(4) Procedure to create a private server key (ECC (elliptic-curve cryptography) method)

Create a PKCS#8 format private web server key using ECC (elliptic-curve cryptography).

Files will be overwritten by the output file without prior confirmation upon command execution. Back up the existing file before executing the command, if necessary.

  1. Run the following command to create a pre-encryption private server key.

    Format

    "Navigation-Platform-installation-directory\PP\uCPSB\httpsd\sbin\openssl.bat" ecparam -genkey -noout -rand file-path-for-random-number-generation -name elliptic-curve-name -out output-path-of-pre-encryption-private-server-key-file

    Parameter

    • file-path-for-random-number-generation: Path of any file used for random number generation

      Specify a file of a sufficiently large size for random number generation.

    • elliptic-curve-name: P-256 or P-384

      Specify the name of the elliptic curve used for private key generation.

    • output-path-of-pre-encryption-private-server-key-file:

      Specify the path of the file used for input in the following step.

      As this is an unencrypted private server key file, take due care to prevent against a data breach.

    Command execution example

    "%UCNP_HOME%\PP\uCPSB\httpsd\sbin\openssl.bat" ecparam -genkey -noout -rand "C:\Windows\System32\notepad.exe" -name P-256 -out "%TEMP%\httpsdkey-ecc-unencrypted.pem"

  2. Run the following command to create an encrypted private server key (PKCS#8 format).

    Format

    "Navigation-Platform-installation-directory\PP\uCPSB\httpsd\sbin\openssl.bat" pkcs8 -topk8 -in path-of-the-pre-encryption-private-server-key-file -out output-path-of-post-encryption-private-server-key-file -v2 private-key-encryption-algorithm

    Parameter

    • path-of-the-pre-encryption-private-server-key-file:

      Specify the file path created in step 1.

    • output-path-of-post-encryption-private-server-key-file:

      "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\httpsdkey-ecc.pem" (fixed)

    • private-key-encryption-algorithm: des-cbc or des-ede3-cbc

      Specify the algorithm used for private key encryption.

      This parameter is irrelevant to the type of encryption for communication between the web server and web browsers.

    Cautionary note:

    Users will be prompted to enter the pass phrase twice when the command is executed. Enter the same pass phrase twice, from 4 to 64 characters in length. Note that an error will not occur even if a pass phrase of 65 characters or longer is entered.

    Take a note of the pass phrase entered as this will be used again when executing other commands.

    Command execution example

    "%UCNP_HOME%\PP\uCPSB\httpsd\sbin\openssl.bat" pkcs8 -topk8 -in "%TEMP%\httpsdkey-ecc-unencrypted.pem" -out "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\httpsdkey-ecc.pem" -v2 des-cbc

To Page Top

(5) Procedure for creating a password file

Create the password file corresponding to the private server key.

This procedure assumes that a private server key has already been created. This procedure applies to both RSA encryption-type and ECC-type private server keys.

Files will be overwritten by the output file without prior confirmation upon command execution. Back up the existing file before executing the command, if necessary.

  1. Run the following command to create the password file corresponding to the private server key.

    Format

    "Navigation-Platform-installation-directory\PP\uCPSB\httpsd\sbin\sslpasswd.bat" path-of-the-private-server-key-file output-path-of-the-password-file

    Parameter

    • path-of-the-private-server-key-file:

      When using RSA encryption

      "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\httpsdkey.pem"

      When using ECC

      "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\httpsdkey-ecc.pem"

    • output-path-of-the-password-file:

      Specify the output destination path.

      When using RSA encryption

      "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\.keypasswd"

      When using ECC

      "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\.keypasswd-ecc"

    Command execution example (when using RSA encryption)

    "%UCNP_HOME%\PP\uCPSB\httpsd\sbin\sslpasswd.bat" "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\httpsdkey.pem" "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\.keypasswd"

    Command execution example (when using ECC)

    "%UCNP_HOME%\PP\uCPSB\httpsd\sbin\sslpasswd.bat" "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\httpsdkey-ecc.pem" "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\.keypasswd-ecc"

To Page Top

(6) Procedure for creating a certificate signing request (CSR)

Create a certificate signing request (CSR). This procedure can also be used to create a self-signed certificate.

This procedure assumes that a private server key has already been created. This procedure applies to both RSA encryption-type and ECC-type private server keys.

Files will be overwritten by the output file without prior confirmation upon command execution. Back up the existing file before executing the command, if necessary.

  1. Run the following command to create a certificate signing request (CSR).

    Users will be prompted to enter the pass phrase when the command is executed. Enter the pass phrase that was set when creating the private server key.

    Format

    "Navigation-Platform-installation-directory\PP\uCPSB\httpsd\sbin\openssl.bat" req -new hash-type-used-for-the-signature-algorithm -key path-of-the-private-server-key-file -out CSR-file-output-path [-addext subjectAltName-value]

    Parameter

    • hash-type-used-for-the-signature-algorithm: -sha256, -sha384, or -sha512

    • path-of-the-private-server-key-file:

      When using RSA encryption

      "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\httpsdkey.pem"

      When using ECC

      "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\httpsdkey-ecc.pem"

    • CSR-file-output-path:

      When using RSA encryption

      "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\httpsd.csr"

      When using ECC

      "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\httpsd-ecc.csr"

    • subjectAltName-value:

      Set the subjectAltName value in the server certificate.

      The domain name or IP address of the server can be specified in the following format:

      - When specifying a single domain name

      "subjectAltName=DNS:jp1np.hitachi.jp"

      When specifying multiple domain names

      - "subjectAltName=DNS:jp1np.hitachi.jp, DNS:jp1xxx.hitachi.jp"

      When specifying a domain name and an IP address

      - "subjectAltName=DNS:jp1np.hitachi.jp, IP:192.168.0.1"

    Command execution example (when using RSA encryption, with a domain name of jp1np.hitachi.jp) 

    "%UCNP_HOME%\PP\uCPSB\httpsd\sbin\openssl.bat" req -new -sha256 -key "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\httpsdkey.pem" -out "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\httpsd.csr" -addext "subjectAltName=DNS:jp1np.hitachi.jp"

To Page Top

(7) Procedure for creating a self-signed certificate

This section describes the procedure for creating a server certificate (self-signed certificate) for confirming operations for verification purposes without going through a CA (certificate authority).

This procedure assumes that a private server key has already been created. This procedure applies to both RSA encryption-type and ECC-type private server keys.

Files will be overwritten by the output file without prior confirmation upon command execution. Back up the existing file before executing the command, if necessary.

  1. When setting the subjectAltName value in the server certificate, create a text file that contains the subjectAltName value.

    The explanations provided in this procedure refer to this text file as san.txt.

    File format

    subjectAltName = subjectAltName-value

    File example (when specifying a single domain name)

    subjectAltName = DNS:jp1np.hitachi.jp

    File example (when specifying an IP address)

    subjectAltName = IP:192.168.0.1

  2. Run the following command to create a server certificate.

    Format

    "Navigation-Platform-installation-directory\PP\uCPSB\httpsd\sbin\openssl.bat" x509 -req -days period-of-validity-(days) -in certificate-signing-request-(CSR)-file-path -signkey private-server-key-file-path -out server-certificate-file-output-path [-extfile subjectAltName-value-configuration-file-path]

    Parameter

    • period-of-validity-(days): Whole number from 1 to 10,000

    • certificate-signing-request-(CSR)-file-path:

      When using RSA encryption

      "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\httpsd.csr"

      When using ECC

      "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\httpsd-ecc.csr"

    • private-server-key-file-path:

      When using RSA encryption

      "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\httpsdkey.pem"

      When using ECC

      "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\httpsdkey-ecc.pem"

    • server-certificate-file-output-path:

      When using RSA encryption

      "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\httpsd.pem"

      When using ECC

      "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\httpsd-ecc.pem"

    • subjectAltName-value-configuration-file-path:

      Specify the full path of the file created in step 1.

    Command execution example (when using RSA encryption)

    "%UCNP_HOME%\PP\uCPSB\httpsd\sbin\openssl.bat" x509 -req -days 3650 -in "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\httpsd.csr" -signkey "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\httpsdkey.pem" -out "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\httpsd.pem" -extfile "%UCNP_HOME%\PP\uCPSB\httpsd\conf\ssl\server\san.txt"

To Page Top

All Rights Reserved. Copyright (C) 2019, 2022, Hitachi, Ltd.