5.4.1 Creating a secret key file for SSL communication
By using the openssl command, create a secret key file for SSL communication. The following subsections describe the openssl command format and operands.
- Organization of this subsection
(1) File path
installation-folder#\uCPSB\httpsd\sbin\openssl
#: In Linux, change installation-folder to /opt/jp1dh/server.
(2) Format
-
In Windows
openssl.bat genrsa -rand file-name[:file-name…] [-des|-des3] -out key-file [512|1024|2048|4096]
-
In Linux
openssl.sh genrsa -rand file-name[:file-name…] [-des|-des3] -out key-file [512|1024|2048|4096]
(3) Operands
- Important
-
In the case of Linux, you cannot specify an operand containing single-byte spaces.
-
-rand file-name
Specify any file used for generating a random number. For a file used for generating a random number, specify a sufficiently large and appropriate file.
An example of file specification is as follows:
installation-folder#\misc\digikatsuwide\digikatsuwide\WEB-INF\digikatsuwide.xml
#: In Linux, change installation-folder to /opt/jp1dh/server.
-
[-des|-des3]
To encrypt a secret key, specify the encryption type.
This encryption type has nothing to do with the encryption type for SSL communication between the reverse proxy server and a Web browser.
- -des
-
When -des is specified, DES (Data Encryption Standard) is selected for the encryption type.
- -des3
-
When -des3 is specified, Triple DES is selected.
If you specify this operand, you are required to enter your password when you create a secret key, create a certificate signing request (CSR), or start the reverse proxy server.
If you want to enable automatic password entry for starting the reverse proxy server, you have to first create a password file by using the sslpasswd.bat command. For details, see 5.4.2 Creating a password file.
You can enter a password from 4 to 64 characters#.
- #
-
If you enter a password less than 4 characters, a message appears, prompting you to enter a password from 4 to 1,023 characters long. Even so, remember that your password must be from 4 to 64 characters long. Particular care must be exercised to ensure that your password does not exceed 64 characters because, even if it does, no error is output.
-
-out key-file
Specify the file to which a secret key of the reverse proxy server is output.
-
[512|1024|2048|4096]
Specify the bit length of a secret key of the reverse proxy server to be created. If you omit this operand, the underlined value is used.
- Important
-
Keys with a bit length of 1024 or lower are becoming more dangerous with decreased safety. Therefore, specify 2048 or higher for the bit length.