$! $! SSL$EXAMPLES_SETUP.COM -- $! $! This command procedure is actually a template that will show $! the commands necessary to create certificates and keys for the example $! programs. $! $! Also included in this file are the necessary options to enter into the $! SSL$CERT_TOOL.COM to create the necessary certificates and keys to the $! example programs. The SSL$CERT_TOOL.COM is found in SSL$COM. See the $! documenation for more information about the SSL$CERT_TOOL.COM. $! $! 1. Create CA certificate - option 5 in SSL$CERT_TOOL.COM. $! This will create a key in one file, named SSL$KEY:SERVER_CA.KEY $! by default, and a certificate in another file, named $! SSL$CERT:SERVER_CA.CRT by default. $! $! 2. Make 2 copies of CA certificate created in step #1. $! One should be called server_ca.crt and the other called $! client_ca.crt as these are the filenames defined in the $! example programs. You will have to exit the SSL$CERT_TOOL.COM $! procedure to do this operation from the DCL command line. $! For example: $! $ COPY SSL$KEY:SERVER_CA.KEY SSL$KEY:CLIENT_CA.KEY $! $ COPY SSL$CERT:SERVER_CA.CRT SSL$CERT:CLIENT_CA.CRT $! $! 3. Create a server certificate signing request - option 3 in SSL$CERT_TOOL.COM. $! The Common Name should be the TCP/IP hostname of the server system. $! The default name of the request is SERVER.CSR. The corresponding private $! key is named SERVER.KEY. $! $! 4. Sign server certificate signing request - option 6 in SSL$CERT_TOOL.COM $! Use the CA certificate, SERVER_CA.CRT, created in step #1 to sign the request $! created in step #3. This will create a certificate file, which should be $! named SERVER.CRT. This is the name as it is defined in example programs. $! $! 5. Create a client certificate signing request - option 3 in SSL$CERT_TOOL.COM. $! $! 6. Sign client certificate signing request - option 6 in SSL$CERT_TOOL.COM $! Use the CA certificate, CLIENT_CA.CRT, created in step #1 to sign the request $! created in step #5. This will create a certificate file, which should be $! named CLIENT.CRT. This is the name as it is defined in example programs. $! $! 7. These certificates and keys should reside in the same directory as $! the example programs. $! $! $! $! $! The commands have been changed to use generic data as $! input. To use these commands, one will have to substitute $! the generic data with data specific to their site. $! For example, yourcountry could be change to US. It is $! assumed that the SSL startup file, SYS$STARTUP:SSL$STARTUP.COM, $! and the SSL$COM:SSL$UTILS.COM procedures have been executed. $! $! $! Check to make sure SSL has been started, so $! we can use the logicals that it defines. $! $! $ if f$trnlnm("SSL$ROOT") .eqs. "" $! $ then $! $ write sys$output "SSL needs to be started. Execute @SYS$STARTUP:SSL$STARTUP," $! $ write sys$output "then try this procedure again." $! $ endif $! $! Check to make sure SSL$UTILS has been executed, so $! we can use the foreign commands that it sets up. $! $! $ if f$type(OPENSSL) .eqs. "" $! $ then $! $ @SSL$COM:SSL$UTILS $! $ endif $! $! Check to make sure the SERIAL and INDEX files exist. $! If they don't, create them. $! $! $ if f$search ("SSL$ROOT:[DEMOCA]SERIAL.TXT") .eqs. "" $! $ then $! $ CREATE SSL$ROOT:[DEMOCA]SERIAL.TXT $! 01 $! $ endif $! $! $ if f$search ("SSL$ROOT:[DEMOCA]INDEX.TXT") .eqs. "" $! $ then $! $ CREATE SSL$ROOT:[DEMOCA]INDEX.TXT $! $ endif $! $! Create the CA certificate. $! $! $ define/user sys$command sys$input $! $ openssl req -config ssl$root:[000000]openssl-vms.cnf -new -x509 -days 1825 - $! -keyout ssl$key:server_ca.key -out ssl$certs:server_ca.crt $! yourpassword $! yourpassword $! yourcountry $! yourstate $! yourcity $! yourcompany $! yourdepartment $! your Certificate Authority certificate $! firstname.lastname@yourcompany.com $! $! Copy the server_ca.* to client_ca.* so that the CA can $! be loaded on each side. $! $! $ copy ssl$key:server_ca.key ssl$key:client_ca.key $! $ copy ssl$certs:server_ca.crt ssl$certs:client_ca.crt $! $! $! $! $! $! $! Create the server certificate request. $! $! $! $! Note : There is no way to use the value of a $! $! symbol when you are using the value of $! $! symbol as input, as we do below. To get $! $! around, we create a .COM on the fly and $! $! execute the created .COm file to create $! $! the server certificate. $! $! $! $ hostname = f$trnlnm("tcpip$inet_host") $! $ domain = f$trnlnm("tcpip$inet_domain") $! $ server_name = hostname + "." + domain $! $! $! $ open/write s_com create_s_cert.com $! $! $! $ write s_com "$!" $! $ write s_com "$ define/user sys$command sys$input" $! $ write s_com "$ openssl req -new -nodes -config ssl$root:[000000]openssl-vms.cnf " - $! + "-keyout ssl$key:server.key -out ssl$certs:server.csr" $! $ write s_com "yourcountry" $! $ write s_com "yourstate" $! $ write s_com "yourcity" $! $ write s_com "yourcompany" $! $ write s_com "yourdepartment" $! $ write s_com "''server_name'" $! $ write s_com "firstname.lastname@yourcompany.com" $! $ write s_com "" $! $ write s_com "" $! $! $! $ close s_com $! $ @create_s_cert $! $ delete create_s_cert.com; $! $! $! $! $! $! Now, sign the server certificate ... $! $! $! $ define/user sys$command sys$input $! $ openssl ca -config ssl$root:[000000]openssl-vms.cnf -cert ssl$certs:server_ca.crt -keyfile ssl$key:server_ca.key - $! -out ssl$certs:server.crt -infiles ssl$certs:server.csr $! yourpassword $! Y $! Y $! $! $! $! $! $! Create the client certificate request. $! $! $! $ define/user sys$command sys$input $! $ openssl req -new -nodes -config ssl$root:[000000]openssl-vms.cnf - $! -keyout ssl$key:client.key -out ssl$certs:client.csr $! yourcountry $! yourstate $! yourcity $! yourcompany $! yourdepartment $! yourname $! firstname.lastname@yourcompany.com $! $! $! $! $! $! $! $! Now, sign the client certificate ... $! $! $! $ define/user sys$command sys$input $! $ openssl ca -config ssl$root:[000000]openssl-vms.cnf -cert ssl$certs:client_ca.crt -keyfile ssl$key:client_ca.key - $! -out ssl$certs:client.crt -infiles ssl$certs:client.csr $! yourpassword $! Y $! Y $! $! $! $! Let's view the CA certificate. $! $! $! $ openssl x509 -noout -text -in ssl$certs:server_ca.crt $! $! $! $! $! $! Let's view the Server Certificate Request. $! $! $! $ openssl req -noout -text -in ssl$certs:server.csr $! $! $! $! Let's view the Server Certificate. $! $! $! $ openssl x509 -noout -text -in ssl$certs:server.crt $! $! $! $! Let's view the Client Certificate Request. $! $! $! $ openssl req -noout -text -in ssl$certs:client.csr $! $! $! $! Let's view the Client Certificate. $! $! $! $ openssl x509 -noout -text -in ssl$certs:client.crt $! $! $! $! $! $! Lastly, move the certificates and keys to the directory $! $! in which you are building/running the examples. $! $! $exit