Manualshelf

Technical data

ManualsBrandsCompaq ManualsComputer equipmentIntegrity NonStop NB54000c
21222324252627282930
CACERTS = <CA certificate filename>
SERVKEY = <server private key filename>
SERVKEYPASS = <key password>
On the PC side, the certificate will be trusted by default if:
The certificate is not self-signed.
The certificate is valid (and not expired).
The certificate is signed by a trusted CA.
If the certificate has a SAN, the server’s address matches one of the entries in the SAN.
If the certificate does not have a SAN, the server’s address matches the Subject CN.
If any of these are not the case, there will be a warning dialog. In OSM Service Connection, a
warning dialog (sometimes two) will be displayed detailing the issues with the certificate. The user
will have the option to exit at this point or to continue on with OSM despite these issues. Also, the
user will have the option to trust this certificate or this CA in the future and automatically skip past
the warning dialog. In OSM Event Viewer, the behavior is dependent on Internet Explorer and IE’s
security settings. A variety of different warnings are possible depending on the version of IE and
how tightly security is set on the browser.
IE’s certificate list can be reached by opening IE, and selecting Tools > Internet Options > Content
tab, and clicking the Certificates button.
Java’s certificate list can be reached by selecting Start > Control Panel > Java > Security tab, and
clicking the Certificates button.
Example: How To Generate a Private SSL Certificate Using OpenSSL
This section describes just one of the possible methods for generating a private certificate. You
can use alternative methods as long as you meet the “Requirements for Generating and Activating
a Private SSL Certificate. This example includes creating a CA, adding it to the trusted list, and
securing one server with a certificate. See “Requirements for Generating and Activating a Private
SSL Certificatefor an example of the config.txt file.
1. Obtain a copy of OpenSSL. These instructions are designed for Win32 OpenSSL 1.0.0g 18
Jan 2012:).
http://www.slproweb.com/products/Win32OpenSSL.html
2. Create the index.txt file and leave it empty. Create the serial.txt file and include the
following one line text in it:
01
3. Create the internal root CA. It will ask about the identity of the certificate. List your organization.
Then assign a password to the key when asked, to be used later during the signing process.
openssl req -out ca.cer.pem -new -newkey rsa:2048 -keyout ca.key.pem -x509
-days 365 -config config.txt -extensions verisign_CA
The verisign_CA section in the config.txt file contains certificate extensions to be added
when a certificate is issued.
4. Convert the PEM format certificate to DER format.
openssl x509 -inform PEM -outform DER -in ca.cer.pem -out ca.cer
5. Create the certificate signing request (CSR) for the server. It will ask about the identity of the
server. Be sure to list your organization, but list the DNS name of the server in the CN field.
Assign a password to the key to be used later in OSMCONF.
openssl req -out server.csr -new -newkey rsa:2048 -keyout server.key.pem
-config config.txt -reqexts v3_req_ext_SERVER
26 OSM Server-Based Components