PMDF System Manager's Guide
Previous Next Contents Index

15.4.2 tls_certreq, the Certificate Request Utility

The certificate request utility is used to generate a key pair, generate a certificate request which can then be signed by a Certificate Authority, and also generate a self-signed certificate.

You must be privileged to use this utility. To run the utility, issue the OpenVMS command: 


$ RUN PMDF_EXE:tls_certreq
or the UNIX command 


# /pmdf/bin/tls_certreq
or the NT command 


C:\> tls_certreq

The utility prompts for several pieces of information including:

  1. How many bits of encryption you would like to use.4
  2. The name of the file in which to store the private key part of the RSA key pair.
  3. Your e-mail address (as the person responsible for the certificate request).
  4. The domain name for the PMDF system, or a wildcarded domain name for your site.
  5. The two character ISO country code5 for the country in which the PMDF system is located.
  6. The state or province in which the PMDF system is located.
  7. The city in which the PMDF system is located.
  8. The official name of your organization.
  9. Optional additional organization information.
  10. The name of the file in which to store the generated certificate request.
  11. The number of days for which you would like your temporary self-signed certificate to be valid.
  12. The name of the file in which to store the self-signed certificate.

The three files produced as output by the tls_certreq utility consist primarily of BASE64 encoded data, and are not especially intelligible without decoding. (However, see the tls_certdump utility which can display the data in such files.) For convenience in managing such files, the files are labelled with an initial text line describing the contents.

The private key file, the file which must be protected against world access as it contains your secret private key, (default name server-priv.pem), begins with the line: 


-----BEGIN RSA PRIVATE KEY-----

The certificate request file containing your public key, the file to be sent to a Certificate Authority for signing, (default name server-certreq.pem), begins with the line: 


-----BEGIN CERTIFICATE REQUEST-----

The self-signed certificate file, the file you can use while awaiting signing of your certificate request by a Certificate Authority, (default name server-selfsign.pem, which must be renamed to server-pub.pem if you want to use it while awaiting your signed certificate), begins with the line: 


-----BEGIN CERTIFICATE-----

Note

4 Due to United States export restriction regulations, most sites outside the United States and Canada will be limited to at most 1024 bits. Sites inside the United States and Canada can select up to the current PMDF-TLS maximum of 2048 bits, although note that currently the greatest number of bits likely to be supported by any client is 1024 so for practical purposes using more than 1024 bits is not recommended. Also note that most currently existing "export version" TLS-enabled clients are still limited to 512 bits. When negotiating with such clients, if the PMDF-TLS certificate key length is greater than 512 bits, PMDF-TLS will automatically negotiate the TLS connection with a temporary 512 bit key.

5 ISO country codes essentially correspond to the list of two character top level country domains listed in the internet.rules file in the PMDF table directory.

Previous Next Contents Index