HP OpenVMS Systems Documentation

Content starts here
HP Open Source Security for OpenVMS Volume 2: HP SSL for OpenVMS > Chapter 3 Using the Certificate Tool

Create a Certificate Chain

  Table of Contents

  Index

The following sections describe the steps you must perform to create a certificate chain. Before you create the chain, you must have the following certificates:

Creating an Intermediate CA (RA) Certificate

With the Certificate Tool, you can generate an X509 certificate for an intermediate CA or RA (Registration Authority). Perform the following steps to generate an X509 certificate.

  1. Create a certificate signing request. (Select item 3 in the Certificate Tool Main Menu.)

  2. Sign the certificate signing request with the root CA certificate. (Select item 6 in the Certificate Tool Main Menu.)

NOTE: To create an intermediate CA, you must encrypt the private key when you create the certificate signing request (with PEM passphrase).

Creating a Client/Server Certificate Signed with an Intermediate CA Certificate

After you create an intermediate CA certificate (described in the previous section), create a client/server certificate as follows:

  1. Create a certificate signing request. (Select menu item 3 in the Certificate Tool Main Menu.)

  2. Sign the certificate signing request with the intermediate CA certificate. (Select menu item 6 in the Certificate Tool Main Menu.)

Encrypting the private key is not required for creating a client/server certificate. However, if the key is encrypted, you can also use the certificate as an intermedicate CA certificate with which another certificate will be signed.

Creating a Certificate Chain File

Some OpenSSL APIs require a certificate chain file. This file contains certificates that form the certificate chain (from the client/server certificate to the root CA certificate).

To create a certificate chain file, append the certificates of intermediate CA(s) and the root CA to the client/server certificate. The order in the file can be expressed as follows:

client/server cert >>> intermediate CA1 >>> intermediate CA2 >>> root CA

Enter the following command to create a certificate chain file:

$ COPY CLIENT_CERT.PEM, INTER_CA1.PEM, INTER_CA2.PEM, -
_$ ROOT_CA.PEM, CERT_CHAIN.PEM