6.13.2 Setting up an SSL communication environment on the server side
This subsection describes how to create a private key required on the server side for using SSL communication, and how to issue a server certificate and root certificate. The procedure is as follows:
-
Creating a private key
-
Creating a CSR (certificate signing request)
-
Issuing a server certificate and root certificate
-
Locating the private key, server certificate, and root certificate
Use commands of OpenSSL to create a private key and CSR. For details about the commands, see openssl in 15. Commands.
- Organization of this subsection
(1) Creating a private key
-
Execute the openssl command to create a private key.
An example of command execution is as follows:
When using elliptic-curve cryptography (ECC)
openssl ecparam -genkey -noout -name cipher-name# -out private-key-file-name
- #
-
The length of the private key created varies based on the cipher name. For details, see the description of openssl-ecparam on the official OpenSSL website.
When using RSA encryption
Create a 2,048-bit private key.
openssl genrsa -out private-key-file-name
(2) Converting the private key (only when using elliptic-curve cryptography)
-
Convert the private key using the openssl pkcs8 command.
When using elliptic-curve cryptography, convert the private key to PKCS#8 format. A command execution example is provided below.
openssl pkcs8 -topk8 -in private-key-file-name -out PKCS#8-type-private-key-file-name -nocrypt
(3) Creating a CSR (certificate signing request)
-
Execute the openssl req command to create a CSR.
Create a CSR with the created private key (when using elliptic-curve cryptography, this is the private key created before being converted into PKCS#8 format) specified. In the following example of command execution, a CSR for a certificate whose effective period is one year is created.
openssl req -new -days 365 -key private-key-file-name -out CSR-file-name
-
Enter the DN (distinguished name) to be registered in the certificate interactively.
Input example of the command prompt window:
C:\Program Files (x86)\Hitachi\JP1Base\ssl_\32mt\bin>openssl req -new -days 365 -key server.key -out server.csr Loading 'screen' into random state - done You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Kanagawa Locality Name (eg, city) []:Yokohama Organization Name (eg, company) [Internet Widgits Pty Ltd]:Hitachi Organizational Unit Name (eg, section) []:JP1 Common Name (e.g. server FQDN or YOUR name) []:hostjp1.example.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
The CSR is created.
(4) Requesting the issuance of a server certificate and root certificate
Submit the created CSR to the CA (certificate authority) to request the CA to issue a server certificate and root certificate.
(5) Locating the private key, server certificate, and root certificate
Store the private key, server certificate, and root certificate in a folder on the server side. If monitoring an agent host in an environment where the communication encryption function (SSL communication) for JP1/Base 12-10 or later is enabled, a private key, server certificate, and root certificate are required not only for the manager host but also for the agent host.
Note that you must match the storage location and file name of each file to those defined in the SSL communication definition file created in 6.13.4 Setting up the communication encryption function of JP1/Base.