Using OpenSSL

The Certificate Creation wizard guides you through the process of creating keys and certificates without using a command line. If you prefer to use a command line tool, the OpenSSL command-line tool can be used to generate and convert private keys and public certificates, including:

• Creation of RSA, DH, and DSA key parameters

• Creation of X.509 certificates, CSRs, and CRLs

• Calculation of Message Digests

• Encryption and Decryption with Ciphers

• SSL/TLS Client and Server Tests

• Handling of S/MIME signed or encrypted mail

You can download the precompiled Windows binary and Windows Installer for OpenSSL from http://www.openssl.org/related/binaries.html. The OpenSSL distribution contains a number of utilities, including the main utility openssl.exe. By default, the utilities are installed in C:\Openssl\bin. openssl.exe and associated utilities are used at a Windows command prompt.

Some commands require specification of the OpenSSL configuration file openssl.cnf. By default, this file is installed in C:\Openssl\bin. Therefore, when required to specify the configuration filename, you would use the following path:

• C:\OpenSSL\bin\openssl.cfg

You can run the commands from any location by specifying the full path to the desired executable or by changing to the bin directory and using only the executable filenames.

For example:

>cd c:\temp

>c:\Openssl\bin\openssl

-OR-

>cd c:\Openssl\bin

>openssl.exe

Refer to the procedures below for using OpenSSL to generate or convert private keys and public certificates for use with EFT Server.

• Generating an Unencrypted Private Key and Self-Signed Public Certificate

Use this procedure if you want to generate a public certificate and unencrypted key by hand instead of generating one from within EFT Server.

• Generating an Encrypted Private Key and Self-Signed Public Certificate

Use this procedure if you want to generate a public certificate and encrypted key by hand instead of generating one from within EFT Server.

• Generating a PKCS#12 Private Key and Public Certificate

Use this procedure if you want to generate a compatible PFX/P12 file (often confused with PFX) containing a public certificate and key.

• Converting a PEM-Encoded PKCS#8 Format Encrypted Private Key to PKCS#8 Format

Use this procedure when you already have a public certificate and PEM encoded PKCS#8 format encrypted private key file. You can determine the format by viewing the private key file in a text editor. If it contains the following line, then this procedure most likely applies:

-----BEGIN ENCRYPTED PRIVATE KEY-----

• Converting a Traditional PEM-Encoded Encrypted Private Key to PKCS#8 Format

Use this procedure when you already have a public certificate and traditional PEM encoded encrypted private key file. You can determine the format by viewing the private key file in a text editor. If it contains the following line, then this procedure most likely applies:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED

• Converting an Incompatible PKCS#12 Format File to a Compatible PKCS#12

Use this procedure when you want to convert an existing incompatible PKCS#12 format encrypted private key/public certificate file to a compatible PKCS#12 format file.