SSL Keys and Certificates via Rexx

The package was created by Z. Wagner - Ice Bear Soft, wagner@mbox.cesnet.cz.
Some changes have been made by Michael Warmuth - EDV-Dienstleistungen, michael@warmuth.at.

SSL module for Apache requires a certificate. The scripts for making a certificate, creating a certification authority and signing certificates are included neither in the distribution of Apache with mod_ssl for OS/2 nor in the version of OpenSSL compiled for OS/2. The user is thus required to obtain the complete distribution of OpenSSL. Moreover, the scripts require UNIX-like shell or Perl and UNIX-like utilities. The user may not have them installed. For these reasons I decided to implement the functions by means of native OS/2 programs. The Rexx programs presented here can generate a server key, create a certificate signing request, establish a certification authority and sign keys.

The programs were created exactly according to the documentation. In fact, most of them was copied from the FAQ and the signing script was directly translated from sign.sh.

The last changes by Michael have been done, because he was not able to run the scripts out of the box with OpenSSL 0.9.6a.

License

The programs from this package may be used and distributed under the terms of GNU General Public License. See COPYING for the text of the license.

The package is signed with PGP 2.6.3 and 5.0. My public keys are included or may also be found in key servers.

Prerequisites

The package requires OpenSSL compiled for OS/2. You will also need Apache with mod_ssl. Both these programs can be downloaded from http://silk.apana.org.au/apache/. You must also have Rexx installed. If you do not have it in your system, install it by Selective Install.

The programs rely on files with long names which may or may not be case sensitive. Be sure that you run these programs on a file system supporting long file names such as HPFS or EXT2. Specifically passchg.cmd and decrypt.cmd will destroy the key if it is run on FAT.

Installation

Create a directory where you want to run OpenSSL and these REXX scripts from (e.g. D:\Programs\OpenSSL). Create the following directories within this directory and put the appropriate files there:

• D:\Programs\OpenSSL
  • bin
    • ca.cmd (REXX script)
    • cert.cmd (REXX script)
    • keydecrypt.cmd (REXX script)
    • keydetails.cmd (REXX script)
    • openssl.exe (OpenSSL executeable)
    • passchg.cmd (REXX script)
    • sign.cmd (REXX script)
  • certs
    • (Leave this empty - it will be used by sign.cmd)
  • doc
    • COPYING (Information about REXX scripts)
    • LICENSE (Information about OpenSSL)
    • manual.html (This document)
    • README (Information about OpenSSL)
  • etc
    • openssl.cnf (OpenSSL configuration file)
    • openssl.rnd (RAND file for OpenSSL)
  • keys
    • (Leave this empty - the keys generated will be placed there)

Usage description

Make sure that you run all the REXX scripts from within the bin directory (described above), otherwise the necessary files will not be found.

We do reccomend not to specify paths or file extentions for the key/certificate/signing request files, so that the default extentions and directories (as described above) will be used. The default extentions are .key for key files, .csr for signing requests, and .crt for certificates.

• cert.cmd generates the server key and the certificate signing request. It takes one parameter - the name of the key. If the parameter is not specified, the key is stored in keys\server.key and the certificate signing request in keys\server.csr.
• ca.cmd establishes a certification authority. It generates a key and a self signed certificate. The program requires the name of the key as a parameter. If the parameter is not specified, the key will be stored in keys\ca.key and the self signed certificate will be keys\ca.crt.
• sign.cmd signs the certificate signing request. The program requires the a signing request file (eg. created by cert.cmd) and a self signed cergificate (eg. created by ca.cmd) specified as a parameter.
• keydecrypt.cmd decrypts the key and stores it in undecrypted form. It requires name of the key as a parameter. The decrypted file has the name with .unsecure appended.
• keydetails.cmd displays the details of keys, certificates and signing requests. It requires two arguments: the first one specifies the file name, the second one specifies the type which is one of the following:
  1. rsa for keys (this is the default if only one parameter is specified)
  2. x509 for certificates
  3. req for signing requests
• passchg.cmd is used for changing the pass-phrase. The key file will be stored under the same name.