Requesting a Server Certificate

Restriction: This topic applies only when the Enterprise Server feature is enabled.

Prerequisites

Before you request a certificate, you must:

  • Install Micro Focus Demo CA. The installer for this is supplied with Visual COBOL, and by default is DemoCA_Setup.sh in $COBDIR/DemoCA.

In this section, you ask the certifying authority (CA) for a server certificate. As the server owner you create a private key and a public key. The public key is created in a certificate request (usually called a Certificate Signing Request, CSR) that you would send to the CA.

With a commercial CA, you would typically contact them first, learn about what types of certificates they supply, and find out their prices, terms and conditions.

  1. With administrative privileges, run the batch utility create_srv_req.cmd, located in /opt/microfocus/DemoCA or $COBSSL (if set) by default.

    The batch file creates a public/private key pair for your server, and creates a certificate request with the public key, to send to the CA.

    The private key is generated first and is stored in srvkey.pem.

  2. At the prompt, enter a pass phrase. Use a pass phrase that is easy for you to remember and yet hard for others to guess, for example: open sesame You must supply this pass phrase to access your server's private key. You are prompted to confirm the pass phrase.
  3. The utility prompts you for the following details. These default to the values that you entered when you installed Micro Focus Demo CA:
    • Country Name
    • State or Province
    • Locality
    • Organization Name
    • Organizational Unit
    • Common Name

    For example, you can enter something like:

    Country Name: US
    State or Province Name: California
    Locality Name: Palo Alto
    Organization Name: Bloggs Widgets Inc
    Organizational Unit Name: Marketing
    Common Name: svr-blogw
    Email Address: bloggs@widgets.com

    The details you enter are included in your server certificate to identify you.

  4. At the A challenge password prompt, press Enter to ignore it. You can specify a pass phrase to protect your public certificate, but since it is a public certificate, it is seldom appropriate to protect it in this way.
  5. Press Enter at the next prompt also.
  6. When the batch file finishes, confirm that the following were created in the installation directory:
    • Your server's private key in srvkey.pem. You can view this in a text editor.
    • Your public key in a certificate request file called srvcertreq.csr. The CSR file is formatted according to the PKCS #10 standard, and is informally known as a PKCS #10 file, P10 file, or CSR file. You can view this using the req as follows:
      openssl req -in srvcertreq.csr -text
  7. In a real case you would now send srvcertreq.csr to the CA.