How can I create SSL certificates to test with CA XCOM?
Do not edit the ssl configuration files- cassl.conf, clientssl.conf or serverssl.conf.
From your prompt:
- Change directory to /usr/spool/xcom/ssl
- Run makeca followed by makeclient and makeserver
- This will create a "certs" and "private" subdirectory under the SSL directory
- The scripts produce the following files:
a. makeca: random.pem, certs/cassl.pem and private/casslkey.pem
b. makeclient: certs/clientcert.pem and private/clientkey.pem
c. makeserver: certs/servercert.pem and private/serverkey.pem
- If you did not use the default path when creating the certificates, edit the following parameters in the configssl.cnf and change them to conform to the correct path.
# Mandatory [CA] INITIATE_SIDE = /usr/spool/xcom/ssl/certs/cassl.pem RECEIVE_SIDE = /usr/spool/xcom/ssl/certs/cassl.pem # Mandatory [CA_DIRECTORY] INITIATE_SIDE = /usr/spool/xcom/ssl/certs RECEIVE_SIDE = /usr/spool/xcom/ssl/certs # Mandatory [CERTIFICATE] INITIATE_SIDE = /usr/spool/xcom/ssl/certs/clientcert.pem RECEIVE_SIDE = /usr/spool/xcom/ssl/certs/servercert.pem # Mandatory [PRIVATEKEY] INITIATE_SIDE = /usr/spool/xcom/ssl/private/clientkey.pem RECEIVE_SIDE = /usr/spool/xcom/ssl/private/serverkey.pem [RANDOM] INITIATE_SIDE_FILE = /usr/spool/xcom/ssl/random.pem RECEIVE_SIDE_FILE = /usr/spool/xcom/ssl/random.pem
- Set XCOM_SHOW_CIPHER= to YES in the xcom.glb file and stop and start xcomd. This will allow you to check the encryption key used for the transfer when you issue an:
- At this point, you can perform a loopback transfer using SSL on your machine. See TEC377644 if you need information on how to do a loopback transfer.