1 2The SSL-enabled services are compiled with -DWITH_OPENSSL -DWITH_GZIP and 3linked with -lgsoapssl -lssl -lcrypto -lz 4 5How to generate self-signed root certificate and client.pem/server.pem with 6certificates signed by the root CA for deployment in clients and servers. 7 8Create a 'CA' directory and copy openssl.cnf, root.sh, and cert.sh to this 9dir. 10 11Change dir to 'CA'. 12 13Modify the openssl.cnf file in the [req_distinguished_name] section for the 14following items: 15 16[ req_distinguished_name ] 17countryName_default = US 18stateOrProvinceName_default = Your-State 19localityName_default = Your-City 200.organizationName_default = Your-Company-Name 21emailAddress_default = your-email@address 22 23If you are going to use these settings often, add this line to your .cshrc: 24setenv OPENSSL_CONF $HOME/CA/openssl.cnf 25 26To generate the root CA: 27 28./root.sh 29 30When prompted, choose a passphrase to protect the CA's private key that you 31are about to generate. You need the passphrase again when you sign 32certificates with the CA's private key. 33 34Save the root.pem key and the passphrase in a safe place (don't distribute!). 35 36Now you got the root.pem with the CA's keys and the cacert.pem certificate of 37the CA (for distribution). 38 39The root.pem and cacert.pem are valid for three years. Don't repeat this step 40until the certificate expires. 41 42Next, we will generate the server.pem key file: 43 44./cert.sh server 45 46Enter a password when prompted and enter the host or simply "localhost" for 47the domain of the server application. The password is used to lock the private 48key of the server and will therefore be needed by your server application to 49unlock the private key in the server.pem when needed for secure 50communications. Use the root CA passphrase when prompted to sign the server 51certificate. 52 53When applicable, repeat the procedure for the client (use a fresh password and 54select a host for the client application): 55 56./cert.sh client 57 58The client.pem and server.pem keys are valid for one year. Do not distribute 59them (they include the private key, which is encrypted with the passwords 60you selected which is not very secure). They are used ony locally by the SSL 61application. Only distribute the CA certificate. 62 63Required files in HOME/CA directory: 64 65openssl.cnf 66root.sh 67cert.sh 68 69Files generated: 70 71cacert.pem root's certificate for distribution, to verify authentication 72root.pem root CA (to sign client/server key files, do not distribute!) 73rootkey.pem private key (do not distribute!) 74rootreq.pem sign request 75root.srl serial number 76 77client.pem client key file (do not distribute) 78clientkey.pem private key (do not distribute) 79clientreq.pem sign request 80 81server.pem server key (private key and certificate, do not distribute) 82serverkey.pem private key (do not distribute) 83serverreq.pem sign request 84 85To print the contents of a PEM file: 86 87openssl x509 -text -in file.pem 88 89