Hitachi

uCosminexus Application Server HTTP Server User Guide

5.2.2 Creating a private key for the Web server

This section describes how to create a private key for the Web server by using the openssl.bat command or openssl.sh command for each encryption type.

Organization of this subsection

(1) When using RSA encryption (openssl.bat genrsa command or openssl.sh genrsa command)

Create a private key for the Web server by using the openssl.bat genrsa command or openssl.sh genrsa command. The created Web server private key file is specified in the SSLCertificateKeyFile directive.

The private key is created in the format conforming to PKCS#1.

(a) Format

In Windows

openssl.bat genrsa -rand file-name -out key-file [1024|2048|4096]

In UNIX

openssl.sh genrsa -rand file-name[:file-name...] -out key-file [1024|2048|4096]

(b) Parameters

  • -rand file-name (in Windows)

  • -rand file-name [:file-name...] (in UNIX)

    Specify any file to be used for random number generation. You must specify an appropriate file whose size is large enough for the random number generation. In Windows, you can specify only one file name. Multiple file names cannot be specified.

  • -out key-file

    Specify the file to which the Web server private key is output.

  • [1024|2048|4096]

    Specify the bit length of the Web server private key.

(c) Usage example

The following example shows how to create the Web server private key httpsdkey.pem in the format conforming to PKCS#1.

In Windows

openssl.bat genrsa -rand file1 -out httpsdkey.pem 2048

file1: Arbitrary files

In UNIX

openssl.sh genrsa -rand file1:file2:file3:file4:file5 -out httpsdkey.pem 2048

file1, file2, file3, file4 and file5: Arbitrary files

To Page Top

(2) When using elliptic curve cryptography (openssl.bat ecparam command or openssl.sh ecparam command)

Create a private key for the Web server by using the openssl.bat ecparam command or openssl.sh ecparam command. The created Web server private key file can be specified in the SSLCertificateKeyFile directive.

(a) Format

In Windows

openssl.bat ecparam -genkey -noout -rand file-name -name elliptic-curve-name -out key-file

In UNIX

openssl.sh ecparam -genkey -noout -rand file-name [:file-name...] -name elliptic-curve-name -out key-file

(b) Parameters

  • -rand file-name (in Windows)

  • -rand file-name [:file-name...] (in UNIX)

    Specify any file to be used for random number generation. You must specify an appropriate file whose size is large enough for the random number generation. In Windows, you can specify only one file name. Multiple file names cannot be specified.

  • -name elliptic-curve-name

    Specify the name of the elliptic curve to be used for generating a private key. Specify one of the following elliptic curve cryptography types:

    • secp384r1

    • secp521r1

    • prime256v1

    • P-256

    • P-384

    • P-521

  • -out key-file

    Specify the file to which the Web server private key is output.

(c) Usage example

The following example shows how to create the private key httpsdkey.pem that uses elliptic curve cryptography. When using the private key on the Web server, convert httpsdkey.pem to the PKCS#8 format.

In Windows

openssl.bat ecparam -genkey -noout -rand file1 -name P-256 -out httpsdkey.pem

file1: Arbitrary files

In UNIX

openssl.sh ecparam -genkey -noout -rand file1:file2:file3:file4:file5 -name P-256 -out httpsdkey.pem

file1, file2, file3, file4 and file5: Arbitrary files

To Page Top

Trademarks

All Rights Reserved. Copyright (C) 2022, Hitachi, Ltd.