Hitachi

JP1 Version 12 JP1/Performance Management Reference

jpcwtool https create certreq

Organization of this page

Format

jpcwtool https create certreq    -f certificate-signing-request-(CSR)-output-file
                                 [-d private-key-file-output-directory]
                                 [-des|-des3]
                                 [-bits {2048|4096}]
                                 [-sign {SHA256|SHA384|SHA512}]
                                 [-noquery]

To Page Top

Function

The command jpcwtool https create certreq creates a certificate signing request (CSR) file for obtaining a server certificate, a private key file, and a private key password file. The information to be set is entered interactively.

Use the files created by this command to configure encrypted communication between the Web browser and the monitoring console server. For details about how to configure these settings, see the description about changing the settings for encrypted communication between a Web browser and the monitoring console server in the JP1/Performance Management Planning and Configuration Guide.

Important

This command does not output Subject Alternative Names (SANs). When you use Google Chrome as the browser, a server certificate created with a certificate signing request (CSR) that does not contain a SAN definition is regarded as an untrusted certificate. In this case, you have to create a server certificate by using OpenSSL or other tools capable of creating a CSR with a SAN definition added to it. When you create a server certificate, you have to not only specify the entries that need to be set in this command but also set a SAN as the Common Name (CN).

To Page Top

Hosts that can execute the command

PFM - Web Console

To Page Top

Execution permission

In Windows:

User with Administrators permissions

In UNIX:

User with root user permissions

To Page Top

Installation directory

In Windows:

installation-folder\tools\

In UNIX:

/opt/jp1pcwebcon/tools/

To Page Top

Arguments

-f certificate-signing-request-(CSR)-output-file

Specify the name of the certificate signing request (CSR) file for obtaining a server certificate, excluding the file extension, in certificate-signing-request-(CSR)-output-file. The maximum length is 251 bytes. For details about how to specify the file path, see Specifying files and directories.

The specified file certificate-signing-request-(CSR)-output-file.csr will be created.

-d private-key-file-output-directory

Specify the directory to which the private key file is to be output in private-key-file-output-directory. The maximum length is 234 bytes. For details about how to specify the directory, see Specifying files and directories.

If you omit this option, the file will be output to the folder for storing encrypted communication files.

If the option -des or -des3 is specified, a private key password file will also be output to the same directory.

The names of the files that will be output are as follows:

  • Private key file: jpcwhttpskey.pem

  • Private key password file: jpcwhttpskeypass.dat

-des|-des3

Specifies the type of encryption of the private key file when you set a password for the private key. When you specify the option -des, DES (Data Encryption Standard) encryption is used. When you specify the option -des3, triple DES encryption is used.

When this option is specified, the user will be prompted to enter the password of the private key four times during the execution of this command.

If this option is omitted, no password is set for the private key.

-bits {2048|4096}

Specifies the bit length of the private key to be created.

If this option is omitted, 2048 is assumed.

-sign {SHA256|SHA384|SHA512}

Specifies the signature algorithm to use when creating the certificate signing request file.

The algorithms corresponding to each input value are as follows:

  • SHA256: sha256WithRSAEncryption

  • SHA384: sha384WithRSAEncryption

  • SHA512: sha512WithRSAEncryption

If this option is omitted, SHA256 is assumed.

Depending on the certificate authority that issues the server certificate, at the time the certificate signing request is made, the signature algorithm might have already been determined, or the server certificate might be issued using a signature algorithm selected at the time of the request.

In these cases, the setting value specified here is ignored.

-noquery

When this option is specified, query messages that interrupt execution of the command are no longer output, and no response from the user is required. Specify this option if you want to execute the command non-interactively.

If an output destination file specified with the option -f or -d already exists, it will be overwritten.

If this option is omitted, a message is displayed to confirm whether to overwrite the file.

To Page Top

Specifying files and directories

To Page Top

Information to be entered during execution of the command

During execution of the command, the user is prompted to enter the following information:

The items that the user is prompted to enter are as follows.

Table 3‒95: Information to be set in the certificate signing request file

No.

Input field

Description

Required/optional#1

1

Country Name (2 letter code)

Country code (uppercase two-letter ISO abbreviation indicating the country)

Required

2

State or Province Name (full name)

Name of a state or province

Optional

3

Locality Name (eg,city)

Name of a city or other locality

Optional

4

Organization Name (eg, company)

Name of a company or other organization

Optional

5

Organizational Unit Name (eg, section)

Name of a section or other organizational unit

Optional

6

Common Name (eg, YOUR name)

Name of the PFM - Web Console host, or the logical host name in the case of a cluster system#2

Required

7

Email Address#3

Email address

Optional

8

A challenge password#3

Password necessary to ask the certificate authority to discard or disable a certificate#4

Optional

9

An optional company name#3

Name that is specified when an organization name different from the one specified in Organization Name in No. 4 is assigned#4

Optional
#1

The information that is required varies depending on which certificate authority you submit the certificate signing request file to. For details, check with the relevant certificate authority.

#2

Depending on which certificate authority you submit the certificate signing request file to, you might be prompted for the host name in FQDN format, which is not supported by Performance Management. In that case, for Common Name, specify the PFM-Web Console host name with the domain name appended. Note that the setting is also required on the host running the Web browser connected to the monitoring console. For details, see the description of how to configure a Web browser to use the monitoring console in the JP1/Performance Management Planning and Configuration Guide.

In addition, by setting Common Name to an * (wildcard) with the domain name appended, you can create a certificate signing request file for a wildcard certificate. Before using wildcard certificates, check whether they are supported by the certificate authority.

#3

The command jpcwtool https create provcert does not prompt the user to enter this item.

#4

Enter this information when instructed to do so by the certificate authority to which you are submitting the certificate signing request file. If no specific instruction is provided by the certificate authority, do not enter this information.

Table 3‒96: Password for the private key

No.

Input field

Contents

Required/optional

1

Enter pass phrase for file-path-of-private-key

This is the password for the private key.

You will be prompted to enter the password four times. Enter the same password each time.

Required

2

Verifying - Enter pass phrase for file-path-of-private-key

3

Enter PEM passphrase
The rules for specifying the input fields are as follows:

  • You can enter up to 255 characters for each input field, but the total number of characters in all the input fields in the certificate signing request file cannot exceed 485 characters. Note that this limit on the total number of characters includes the backslash escape character (\), which is automatically prefixed to the characters ,, +, and = in the file that is output.

  • The password for the private key. You can enter a password that is at least four characters long but does not exceed 64 characters.

  • Use single-byte alphanumeric characters. Uppercase and lowercase letters are treated as different. The @ character is permitted only in the email address and the private key password, but the following symbols are permitted in all input fields:

    ' - ( ) , . / : ? + = single-byte space

    If you enter only periods (.) in the input field, nothing will be displayed for that field.

To Page Top

Notes

To Page Top

Return values

0

The command terminated normally.

1

An argument specification is invalid.

2

The user does not have execution permission for the command.

3

A file or directory cannot be accessed.

4

Creation of the certificate signing request file failed.

5

Creation of the private key file failed.

6

Creation of the private key password file failed (only if the option -des or -des3 is specified).

80

The command was aborted because the user entered something other than y or Y in response to the confirmation prompt when -noquery was not specified.

100

The PFM - Web Console environment is invalid.

200

A memory shortage occurred.

203

An error occurred during output of the file.

210

A disk space shortage occurred.

255

An unexpected error occurred.

To Page Top

Usage example

This example outputs the certificate signing request file to the file httpsd.csr in the directory /tmp and then sets the password for the private key. In Windows, when the password is entered, the * characters appear only the fourth time the password is entered. 

> ./jpcwtool https create certreq -f /tmp/httpsd -des3
372 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
...............++++++
..............................++++++
e is 65537 (0x10001)
Enter pass phrase for /opt/jp1pcwebcon/CPSB/httpsd/cone/ssl/server/jpcwhttpskey.pem:
Verifying - Enter pass phrase for /opt/jp1pcwebcon/CPSB/httpsd/cone/ssl/server/jpcwhttpskey.pem:
Enter pass phrase for /opt/jp1pcwebcon/CPSB/httpsd/cone/ssl/server/jpcwhttpskey.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Kanagawa
Locality Name (eg, city) []:Yokohama-shi
Organization Name (eg, company) [Internet Widgits Pty Ltd]:HITACHI
Organizational Unit Name (eg, section) []:WebSite
Common Name (e.g. server FQDN or YOUR name) []:pfm.hitachi.co.jp
Email Address []:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Enter PEM pass phrase:
KAVJT6553-I Output of the certificate signing request and private key ended normally.

To Page Top

Copyright (C) 2019, 2021, Hitachi, Ltd.

Copyright (C) 2019, 2021, Hitachi Solutions, Ltd.

(C)opyright 2000-2009, by Object Refinery Limited and Contributors.