Generating SSL Certificates and Keys

Generating SSL certificates and keys, you must perform the following tasks:

For more detailed information on creating signed certificates, refer to the OpenSSL documentation.

The documentation includes examples and sample procedures to show how to create certificates and keys. The commands shown allow many other possible options not used in these examples. Create commands based on your specific environment.

Create a Certificate Authority Private Key and Public Certificate

Create a Certificate Authority (CA) private key and public certificate. For more information on using the following commands. see the OpenSSL documentation.

  1. Generate CA files serverca.crt  and servercakey.pem. This allows the signing of server and client keys:

    $ openssl genrsa -out new_servercakey.pem
    $ openssl req -config openssl_req_CA.conf -new -x509 -key servercakey.pem -out
     serverca.crt 

    You can add multiple CA files to the .crt file with the following command:

    $ cat serverca_new.crt >> serverca.crt

    This concatenates the serverca_new.crt file to the original CA file serverca.crt. You can run this command multiple times to concatenate additional CA files.

  2. Create the server private key (server.crt) and public key (server.key):

    $ openssl genrsa -out server.key
    $ openssl req -config openssl_req_server.conf -new -key server.key -out server_reqout.txt
    $ opensslx509 -req -in server_reqout.txt -days 3650 -sha1 -CAcreateserial -CA serverca.crt 
    -CAkey servercakey.pem -out server.crt
  3. Create the client private key (client.crt) and public key (client.key):
    $ openssl genrsa -out client.key
    $ openssl req -config openssl_req_client.conf -new -key client.key -out client_reqout.txt
    $ openssl x509 -req -in client_reqout.txt -days 3650 -sha1 -CAcreateserial 
    -CA serverca.crt -CAkey servercakey.pem -out client.crt
  4. Enter the following sample CA certificate values in response to openssl command line prompts. The actual values you enter here will be different than the sample values.

    Rather than enter these values from command line prompts, you can optionally provide the same information in .conf files. For example, openssl_req_ca.conf in the preceding example.

    Country Name (2 letter code) [GB]:US
    State or Province Name (full name) [Berkshire]:Massachusetts
    Locality Name (e.g., city) [Newbury]:Cambridge
    Organization Name (e.g., company) [My Company Ltd]:CorpName
    Organizational Unit Name (e.g., section) []:TechSupport
    Common Name (e.g., your name or server hostname) []:myhost
    Email Address []:myhost@CorpName.com
    
  5. Include one unique Distinguished Name (DN) for each certificate that you create. In the preceding examples, the DN is the Organizational Unit Name.
  6. Set file permissions:
    $ chmod 700 server.crt server.key
    $ chmod 700 client.crt client.key
    
  7. Rename the CA file serverca.crt to root.crt, and do one of the following:

    - copy it to VSQL_HOME or
    - point to it in ODBC DSN Configuration dialog
  8. Create a trusted Certificate Authority for the client for server mutual mode:
    => ALTER DATABASE <mydb> SET SSLCA = '<content of serverca.crt>';			

You now have a CA private key, new_servercakey.pem. You also have a CA public certificate, new_serverca.crt. Use both the private key and the public certificate in the procedures that follow for creating server and client certificates.