This chapter describes the demonstration Certificate Authority (CA), which is installed as part of Micro Focus Security Pack.
The demonstration CA is software that enables you to operate as a CA. Basically a CA needs to create certificates, and it needs a place to store certificates and its own certificate (self-signed in the case of a root CA). We assume that for training and testing you will be acting as both a CA and a server, so you need certificates and keys for both.
The demonstration CA comprises a directory structure and the files needed for the demonstration. The demonstration CA is set up with the following:
You use the demonstration CA to create certificates, but these certificates will not be recognized outside your organization as certificates from the well-known commercial or official CAs such as Verisign and Thawte. Therefore for production use in communicating with the outside world you should obtain certificates from a well-known CA. This takes time and money, so for training and testing you may prefer to create your own certificates using the demonstration CA.
The facilities provided by this pack are for use in training and development testing. We recommend that you do not use the demonstration CA for production use, but there are elements that might be useful.
Note: If you consider using the demonstration for anything other than training or testing, it is essential that you read the warnings in the section Is the Demonstration CA a Real CA?.
The directory Program Files\Micro Focus\DemoCA is created by default when you install Micro Focus Security Pack. This directory is pointed to by the SSLDIR environment variable, which is created when you install this COBOL system. The directory is not automatically added to your path, but you might find it useful to add it.
The following directories are set up:
| Name | Description |
|---|---|
| certs | You use this directory to store copies of all certificates and key files that you as a CA issue |
| crl | When you revoke a certificate, it is added to file crl.pem in here |
| newcerts | Holds the database of certificates you have issued. When you create a certificate, it is created in here with a numeric name, for example 01.pem. |
| private | Contains your self-signed CA root certificate in several formats and your private key |
The following files are installed in the DemoCA directory:
| Name | Description |
|---|---|
| create_srv_req.cmd | Script that creates a request for a server certificate |
| create_cli.cmd | Script that creates a client certificate |
| index.txt | Index to the certificates stored in newcerts |
| install_demoCA.cmd | Script that creates a CA that can be used to sign and verify certificates. This is for demonstration and development purposes only and should not be used in production. |
| sign_srv.cmd | Script that processes a server certificate request and signs the certificate |
| openssl.exe | OpenSSL command-line utility |
| openssl.cnf | Configuration file that specifies directories and defaults for SSL support |
| .rand | Random number used in generating keys. This number is generated anew each time you create a key. |
| serial | Number to be allocated to the next certificate you issue. |
| srv.pem | Certificate request (together with the private key in the one file) from which the server certificate was created |
| srvcert.pem | Your server certificate |
| srvkey.pem | Your server's private key |
The private subdirectory contains the root CA certificate and matching private key.
The certificate is provided in several formats, because different entities that you communicate with, such as different browsers, may require different formats. The .pem files contain a format called PEM. This is a way of modifying a binary string so that the bit pattern in each byte coincides with an ASCII character, so that the string is printable and displayable as text. The .cer file contains a format called DER, which is not plain text.
The files provided in the private subdirectory are:
..\openssl x509 -in carootcert.pem -text
This shows the certificate first in human-readable form, and then in machine-readable form between the BEGIN CERTIFICATE and END CERTIFICATE lines. It shows that the public key was generated using the RSA algorithm and is 1024 bits long. The signature was created using the MD5 hashing algorithm and the RSA encryption algorithm. Notice that the Issuer and Subject are the same, because this is a self-signed certificate, as you would expect of a root CA's certificate.
..\openssl x509 -in carootfile.cer -text -inform DER
Compare the x509 displays of the PEM and DER versions of this certificate, and notice that their contents are identical. However, you cannot display the DER one with a text editor.
The CAKey.pem and srvkey.pem files are installed with the same password "srvrootpwd". See Is the Demonstration CA a Real CA? for recommendations.
You should regard the contents of this private folder as sacrosanct. These are the public/private key pair that you must have in order to operate your CA. Do not alter or lose anything in here. Note that anyone who gets hold of your private key can masquerade as you. In production, you would take precautions such as making these files read-only, and keeping secure backups.
When you installed the Micro Focus Security Pack, you provided details of your site, such as Common Name, locality, and so on. All these details together are known as your Distinguished Name, and are intended to identify your site uniquely in the world. These details were put into your certificates.
Especially important is the Common Name. If this is not exactly the same as the fully qualified domain name of the machine running your SSL software, people you communicate with will get warnings that your certificate may not be valid. This field defaults to the name as known to your operating system, so you will probably not need to change it. You can however use wildcards in the Common Name, so you can use the same certificate for several machines. You will need to do this if, for example, you are running a Web site with a cluster of Web servers.
The elements of the Distinguished Name - Common Name, Locality, and so on - are standard, but it's up to you as the CA to have a policy on which of them you require. You can define the policy and specify the required elements, using the policy directive of the openssl ca function. You can specify several default groups of content within openssl.cnf and refer to each group by its name as a policy. See OpenSSL Configuration File.
Warning: We strongly recommend that you do not use the demonstration CA to set up a commercial CA or other generally available CA service.
If you intend to set up a PKI within your organization, the demonstration CA is suitable software to use to run your real-life CAs. However, Micro Focus does not provide support for this use. As with any production software system, you must take great care to back up vital information and keep it secure.
The demonstration CA is suitable for creating certificate signing requests to be sent to a commercial or official CA.
Note: The demonstration CA is installed with the same password "srvrootpwd" for the CA root private key CAkey.pem and the server private key Srvkey.pem files. We recommend that to ensure any form of real security you regenerate the demonstration CA content and recreate a server certificate.
Copyright © 2009 Micro Focus (IP) Ltd. All rights reserved.