Hi everyone,
I have been trying to determine if there is a specific command I need to
use when creating Self Signed Certificates with openssl that determines
TLS v1.0 over SSL v3.0? I have been using the following commands:
Create a file named openca.cnf and copy the content in italic into the
empty file.
[ req ]
default_bits = 1024 # Size of keys
default_keyfile = openca_key.pem # name of generated keys
default_md = sha1 # message digest algorithm
string_mask = nombstr # permitted characters. Any string.
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
# Variable name Prompt string
#---------------------- ---------------------------------
0.organizationName = Org. Name
organizationalUnitName = Org. Name
emailAddress = ValidEmailAddress
emailAddress_max = 40
localityName = City
stateOrProvinceName = State
countryName = US
countryName_min = 2
countryName_max = 2
commonName = ServerName
commonName_max = 64
[ v3_ca ]
basicConstraints = critical,CA:TRUE #critical is important.
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
Run the following command:
openssl req -new -x509 -newkey rsa:1024 -extensions v3_ca -keyout
openca_key.pem -out openca_crt.pem -days 365 -config ./openca.cnf
Create a configure file (opencsr.cnf) which will be used by openssl to
generate CSR and private key.
[ req ]
default_bits = 512 # Size of keys. If server has domestic license, use
1024.
default_keyfile = opencert_key.pem # name of generated keys
default_md = sha1 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#---------------------- ---------------------------------
0.organizationName = Org. Name
organizationalUnitName = Org. Name
emailAddress = ValidEmailAddress
emailAddress_max = 40
localityName = City
stateOrProvinceName = State
countryName = US
countryName_min = 2
countryName_max = 2
commonName = ServerIP
commonName_max = 64
[ v3_ca ]
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
In dos command window, execute the following command:
openssl req -new -nodes -out opencert_req.pem -config ./opencsr.cnf
Execute the following command to sign the certificates:
openssl x509 -sha1 -req -days 365 -CAcreateserial -CA openca_crt.pem
-CAkey openca_key.pem -in opencert_req.pem -out opencert_crt.pem
Then I move the openca_crt.pem, opencert_crt.pem and opencert_key.pem
over to the Weblogic directories, load them into the cacerts directory
and Weblogic app. When I start Weblogic, it states that the SSL started
on the correct port without errors. I have enabled the TLSv1 option in
Internet Explorer and the Weblogic JAVAOPTIONS
(-Dweblogic.security.SSL.protocolVersion=TLS1). However, when I go to
the https://<server>:<SSL port>/ I get a page display error. This only
is happening because we have the Windows Group Policy for "System
cryptography: Use FIPS compliant algorithms for the encryption, hashing,
and signing" Enabled. This policy limits us to the
TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite (only TLSv1.0 certificates
are valid). So the question comes back to, how do I specify TLSv1.0 for
the certificate when creating it over SSLv3.0?
Any help would be much appreciated.
Thank you in advance,
Kyle
-----------------------------------------------
Kyle Safford, Consultant
CGI Federal
838-B, 12601, Fair Lakes Circle
Fairfax, VA 22033
Office: 703 227 5592
kyle.saff...@cgifederal.com <mailto:kyle.saff...@cgifederal.com>
http://www.cgi.com <http://www.cgi.com/>
-----------------------------------------------
