1.5.2 Creating a server certificate for the production environment
To start JP1/DH - Server operation on the Internet, you must obtain a server certificate and install it in JP1/DH - Server.
To obtain a server certificate, prepare a secret key and a certificate signing request (CSR) first.
- Organization of this subsection
(1) Creating a secret key for the production environment
Create a secret key required to create a server certificate.
Prerequisites
To perform this task, the system administrator logs in as the built-in Administrator user to the machine on which JP1/DH - Server is installed, and then starts the command prompt.
Procedure
-
Start the command prompt.
Start the command prompt at the following location, in which the command for creating a secret key is stored:
installation-folder\uCPSB\httpsd\sbin
-
Execute the openssl.bat command with the necessary arguments specified.
openssl.bat genrsa -rand file-name [:file-name…] [-des|-des3] -out key-file-name [512|1024|2048|4096]The following are details of the arguments:
- -rand file-name[:file-name…]
-
Specify the name of any file to be used for generating a random number. You can specify only one file name. Specify a file of adequate size as the file for generating a random number.
The following is an example of how to specify a file name:
installation-folder\misc\digikatsuwide\digikatsuwide\WEB-INF\digikatsuwide.xml
- [-des|-des3]
-
To encrypt a secret key, specify the encryption type.
This encryption type has nothing to do with the encryption type for SSL communication between the JP1/DH - Server and a Web browser.
-des
When -des is specified, DES (Data Encryption Standard) is selected for the encryption type.
-des3
When -des3 is specified, Triple DES is selected.
If you specify this operand, you are required to enter your password when you create a secret key, create a certificate signing request (CSR), or start the JP1/DH - Server.
If you want to enable automatic password# entry for starting the JP1/DH - Server, see the prerequisites in the JP1/Data Highway - Server Configuration and Administration Guide.
# You can enter a password from 4 to 64 characters. If you enter a password less than 4 characters, a message appears, prompting you to enter a password from 4 to 1,023 characters long. Even so, remember that your password must be from 4 to 64 characters long. Particular care must be exercised to ensure that your password does not exceed 64 characters because, even if it does, no error is output.
- -out key-file-name
-
Specify the name of the file to which the created secret key is output.
- [512|1024|2048|4096]
-
Specify the bit length of the secret key to be created.
If you omit this argument, 2048 is used.
Keys with a bit length of 1024 or lower are becoming more dangerous with decreased safety. Therefore, specify 2048 or higher for the bit length.
Operation result
The secret key file with the name specified for -out is created.
(2) Creating a certificate signing request (CSR) for the production environment
Create a certificate signing request (CSR) required to create a server certificate.
Prerequisites
-
To perform this task, the system administrator logs in as the built-in Administrator user to the machine on which JP1/DH - Server is installed, and then starts the command prompt.
-
A secret key must be created beforehand.
Procedure
-
Start the command prompt.
Start the command prompt at the following location, in which the command for creating a CSR is stored:
installation-folder\uCPSB\httpsd\sbin
-
Execute the openssl.bat command with the necessary arguments specified.
openssl.bat req -new [-md5|-sha1|-sha224|-sha256|-sha384|-sha512] -key key-file-name -out CSR-file-nameThe following are details of the arguments:
- [-md5|-sha1|-sha224|-sha256|-sha384|-sha512]
-
Specify the signature algorithm used for creating a CSR. If you omit this operand, the underlined signature algorithm is used.
md5: Use md5WithRSAEncryption.
sha1: Use sha1WithRSAEncryption.
sha224: Use sha224WithRSAEncryption.
sha256: Use sha256WithRSAEncryption.
sha384: Use sha384WithRSAEncryption.
sha512: Use sha512WithRSAEncryption.
- Important
-
The signature algorithms md5 and sha1 are becoming more dangerous with decreased safety. Therefore, specify the signature algorithms value other than.
- -key key-file-name
-
Specify the name of the secret key file that was created beforehand.
- -out CSR-file-name
-
Specify the name of the file to which the created CSR is output.
Enter the values for the required items, in interactive mode.
C(Country Name) : two-letter-country-code (JP for Japan) S(State or Province Name) : state-or-province-name L(Locality Name) : city-or-area-name O(Organization Name) : organization-name OU(Organization Unit Name) : organization-unit-name CN(Common Name) : server-host-name-(FQDN) EA(Email Address) : email-address
The following is a specification example:
C(Country Name) : JP S(State or Province Name) : Tokyo L(Locality Name) : Shinagawa-ku O(Organization Name) : Hitachi,Ltd. OU(Organization Unit Name) : SoftwareDevelopment CN(Common Name) : jp1dhserver.foo1.foo2.co.jp EA(Email Address) : jp1dh-system@foo1.foo2.co.jp
Operation result
The certificate signing request (CSR) file with the name specified for -out is created.
(3) Obtaining a server certificate for the production environment
Obtain a server certificate before JP1/DH - Server starts in the production environment.
Procedure
-
After a certificate signing request (CSR) is created, request a certificate authority to issue a server certificate and conduct the procedures required to obtain a server certificate.
These tasks must be complete before JP1/DH - Server starts in the production environment.
-
After you obtain a server certificate, store it in any location on the machine on which JP1/DH - Server is installed.
Postrequisites
Set the network configuration, and install the server certificate in JP1/DH - Server.
Related topics