X.509 certificates, in addition to private key files, are used to support authentication with digital certificates in a test that uses IPSec or TLS. After you have generated private keys using the test server's CA, you can generate an X.509 certificate for each private key.
The generateX509Certificates command generates the certificate file and places it in the directory accessed during the test: /home/cfguser/rsa. The command can be used with the following parameters:
--help — prints out the command line parameters and gives a brief description of each.
--cacert <file name> — The file name of the CA's root certificate. The default certificate is cacert.pem, located in the /home/cfguser/sseworks directory.
--cakey <file name> — The file name of the CA’s private RSA key. The default private key is caKey.pem, located in the /home/cfguser/sseworks/private directory.
--password <cakey file password> — Enter password (up to 20 characters) for the CA’s private RSA key file.
--signatureAlgo <signature algorithm> — Enter signature algorithm for the CA’s private RSA key file. (Currently support MD5 (default), SHA1, SHA256, SHA384 and SHA512)
--requestor <file name> — The name of the file that contains policy information for each certificate requester. This file must contain at least one policy, and can contain as many as required. As the certificates are generated, requesters are selected from the file in a round-robin manner. The default file is x509Requestors.txt, located in the /home/cfguser/sseworks directory. You can modify this file or import a new file into the sseworks directory. Whatever method you choose, the file format must follow the guidelines in x509Requestors.txt.
--private <file name> — The file, located in the /home/cfguser/rsa directory, that contains the private RSA keys. One certificate is generated for every key in the file. The default key file is privRsaKey.pem.
--serial <starting number> — The starting serial number to be used when generating certificates. It will be incremented by 1 for each subsequent certificate. The default starting serial number is 1.
--cout <file name> — The name of the file that will contain the generated X.509 certificates. The default file name is x509Certificates.pem.
|
IMPORTANT: Certificate generation can take several hours, depending on the number of certificates, and the amount of test server resources consumed will adversely affect test operations. Reserve the test server to prevent other users from running test sessions during certificate generation. |
To generate an X.509 certificate file:
SSH to the test server and log in as cfguser.
Change to the CA directory: cd sseworks.
Enter the generate command. If the default file names and starting number are acceptable, no parameters are required. As with the key files, the certificate file name is specified in the test definition. The input files used by the process must reside in the directories specified in the parameter definitions above.
##> generateX509Certificates --private MyPrivateKeys.pem --cout MyCerts.pem
A confirmation message is displayed as the process begins and progress messages are printed as every 1000 certificates is generated. When the process is complete, a final time stamp is printed and the prompt is displayed as shown below.
Creating X509 Certificates using the following data...
Input:
CA certificate file: /home/cfguser/sseworks/cacert.pem
CA RSA Private key file: /home/cfguser/sseworks/private/caKey.pem
CA RSA Private key password: 1234
Signature Algorithm : signature algorithm
Certificate Requestor file: /home/cfguser/sseworks/x509Requestors.txt
Private RSA key file: /home/cfguser/rsa/MyPrivateKeys.pem
Output:
X509 Certificate file: /home/cfguser/rsa/MyCerts.pem
Processing certificates Time: Mon Jun 20 15:51:48
processing certificate # 1000 Time: Mon Jun 20 15:53:02
processing certificate # 2000 Time: Mon Jun 20 15:54:17
processing certificate # 3000 Time: Mon Jun 20 15:55:31
processing certificate # 4000 Time: Mon Jun 20 15:56:46
processing certificate # 5000 Time: Mon Jun 20 15:58:00
processing certificate # 6000 Time: Mon Jun 20 15:59:15
processing certificate # 7000 Time: Mon Jun 20 16:00:29
processing certificate # 8000 Time: Mon Jun 20 16:01:44
processing certificate # 9000 Time: Mon Jun 20 16:02:58
processing certificate # 10000 Time: Mon Jun 20 16:04:13
processed 10000 certificates Time: Mon Jun 20 16:04:13
##>
If the test requires a DER format, convert the certificate file:
Change to the rsa directory: cd /home/cfguser/rsa.
Enter the conversion command: openssl x509 -inform PEM -outform DER -in <pem-file-name> -out <der-file-name>
Using the example file above:
##> openssl x509 -inform PEM -outform DER -in MyCerts.pem -out MyCerts.der
If the test requires PKCS#12 format, combine the private keys and certificates into one file:
Change to the rsa directory: cd /home/cfguser/rsa.
Enter the conversion command: openssl pkcs12 -export -in <pem-certificate-file-name> -inkey <pem-private-key-file-name> -out <pkcs12-certificate-and-key-file>
Using the example files:
##> openssl pkcs12 -export -in MyCerts.pem -inkey MyPrivateKeys.pem -out MyKeys.p12
Recycle the test server to register the new files.