Generating a Certificate Authority & Key-Pair

The following section describes the process of creating a Certificate Authority (CA) and a key-pair for a DXL client in a Windows environment. The steps for Linux-based platforms are similar to those presented for Windows. The installation of OpenSSL for the various Linux platforms, however, is outside the scope of this document.

For each DXL client that is going to connect to the DXL fabric.

  1. Download and install Open SSL for Windows from http://www.slproweb.com/products/Win32OpenSSL.html.
    1. Select the Win32 OpenSSL Light or Win64 OpenSSL Light package, depending on your architecture of the machine (32-bit or 64-bit).
    2. If a message occurs during setup indicating ...critical component is missing: Microsoft Visual C++ 2008 Redistributables, cancel the setup and download one of the following packages (based on your architecture)
      1. Visual C++ 2008 Redistributables (x86), available at: http://www.microsoft.com/downloads/details.aspx?familyid=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF
      2. Visual C++ 2008 Redistributables (x64), available at: http://www.microsoft.com/downloads/details.aspx?familyid=bd2a6171- e2d6-4230-b809-9a8d7548c1b6

  2. Open Command Prompt and set OpenSSL environment variables
    1. Open a command prompt (Start > Run > cmd.exe)
    2. Set the following environment variables (adjust OpenSSL path based on your install location):
      1. C:\>set OPENSSL_BIN=c:\OpenSSL-Win32\bin
      2. C:\>set PATH=%OPENSSL_BIN%;%PATH%
      3. C:\>set OPENSSL_CONF=%OPENSSL_BIN%\openssl.cfg
    3. These environment variables may also be permanently defined in your computer settings.

  3. At command prompt, create and change to directory for output files
    1. Create directory: c:\>mkdir c:\certificates

    2. Change to output directory: c:\>cd c:\certificates

  4. Create Certificate Authority (CA)
    1. Create the certificate authority (CA): c:\certificates>openssl req -new -x509 -days 365 -extensions v3_ca -keyout ca.key -out ca.crt
    2. Fill out the required information:

      Generating a 2048 bit RSA private key
      ..............................................................+++
      ..............................................................+++
      Writing new private key to 'ca.key'
      Enter PEM pass phrase:dxl123
      Verifying - Enter PEM pass phrase:dxl123
      -----
      You are about to be asked to enter information that will be incorporated into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.

    3. At this point Certificate Authority's private key ca.key and certificate ca.crt are created.
      1. Remember the PEM pass phrase that is entered when creating the private key (this is necessary when signing client certificates).
      2. Protect the Certificate Authority private key (ca.key)

  5. Provision a key-pair for a DXL Client (Python)
    1. Generate a Private Key for the client: c:\certificates>openssl genrsa -out client.key 2048
    2. The following should be displayed:

      Generating RSA private key, 2048 bit long modulus

      .......................+++

      ..................................................+++ e is 65537 (0x10001)

    3. Create a Certificate Signing Request (CSR) for the client: c:\certificates>openssl req -out client.csr -key client.key –new
    4. Fill out the required information
      1. The "challenge password" can be blank (the default)
      2. NOTE: The "Organizational Unit Name" entered must not be the same as the "Organizational Unit Name" entered in Step #4 (Create Certificate Authority):
      3. You are about to be asked to enter information that will be incorporated into your certificate request.
      4. What you are about to enter is what is called a Distinguished Name or a DN.
      5. There are quite a few fields but you can leave some blank
      6. For some fields there will be a default value,
      7. If you enter '.', the field will be left blank.

  6. Sign the Certificate Signing Request (CSR)
    1. Have the Certificate Authority (CA) sign the signing request (CSR): c:\certificates>openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt –days 365
    2. When prompted, enter the CA PEM pass phrase from Step #4, above. The output will be similar as shown below:
      1. Signature ok

      2. subject=C = US, ST = NJ, L = Somerset, O = Asset Manager, CN = Asset Manager, emailAddress = support@Asset Manager.com Getting CA Private Key

      3. Enter pass phrase for ca.key:dxl123

      At this point certificate client.crt and an associated private key client.key are created for use with a DXL client.

  7. Validate Certificate (Optional)
    1. The following command can be used to ensure the client certificate is valid for the certificate authority: c:\certificates>openssl verify -verbose -CAfile ca.crt client.crt
    2. If the certificate is valid, the output will be as shown: client.crt: OK