$!-----------------------------------------------------------------'f$verify(0) $! CREATE_CA_CERT.COM $! $! Create our own "Certificate Authority" certificate! $! This procedure is very "quick-and-dirty", use with that in mind! $! $! P1 optionally specifies the configuration file (defaults to DEFAULT.CNF) $! $! WASD VMS Hypertext Services, Copyright (C) 1996-2010 Mark G.Daniel. $! This program comes with ABSOLUTELY NO WARRANTY. $! This is free software, and you are welcome to redistribute it under the $! conditions of the GNU GENERAL PUBLIC LICENSE, version 3, or later version. $! http://www.gnu.org/licenses/gpl.txt $! $! 04-APR-2010 MGD OpenSSL v1.0.0 use OPENSSL_CONF instead of -config $! 01-OCT-2003 MGD minor refinements $! 10-JAN-2003 MGD OPENSSL-0_9_7 $! 07-APR-2001 MGD OPENSSL-0_9_6A $! 25-SEP-2000 MGD OPENSSL-0_9_6 $! 05-MAR-2000 MGD OPENSSL-0_9_5 $! 17-AUG-1999 MGD refinement (OPENSSL-0_9_4) $! 04-JUN-1999 MGD OPENSSL-0_9_3 (adapted from earlier procedures) $!----------------------------------------------------------------------------- $! $ if f$type(validDays) .eqs. "" then validDays = 1825 !(5*365 == five years!) $ if f$type(rsaKeySize) .eqs. "" then rsaKeySize = 2048 !(bits) $ if f$type(configFileName) .eqs. "" then configFileName = f$edit(P1,"lowercase") $! $ certDir = "[.CERT]" $ workDir = "[.CERT.WORK]" $ if configFileName .eqs. "" then configFileName = "default.cnf" $ configFileName = configFileName - ".cnf" + ".cnf" $! $ say = "write sys$output" $! $ on error then goto serverError $ procedure = f$environment("procedure") - "000000." $ newDefault = f$parse(procedure,,,"device") + f$parse(procedure,,,"directory") $ prevDefault = f$environment("default") $ set default 'newDefault' $! $ @FIND_SSL $ @CREATE_SUPPORT_FILES $! $ type sys$input ******************************* * CREATE NEW CA CERTIFICATE * ******************************* The Certificate Authority (CA) identifies the authority, or organization, that issues a certificate. Obviously creating your own CA certificate does not make you an AUTHORITY per se, but it does allow you to issue server and client certificates for your own purposes. $ read sys$command response /prompt="Continue? [N]: " $ say "" $ if .not. response then exit $! $ type sys$input ***************************** * GENERATING .PEM VERSION * ***************************** Remember the 'pass phrase' (password) - it's case sensitive!" It will be needed whenever a server certificate is generated. $ set noon $ define /user sys$input sys$command $!(^Y during password entry leaves the terminal kaput!) $ set nocontrol=y $ define /user openssl_conf 'configFileName' $ openSSL req -newkey rsa:'rsaKeySize' -days 'validDays' -verify -new -x509 - -outform PEM -out 'workDir'TMPCERT.PEM - -keyout 'workDir'TMPKEY.PEM $ set control=y $ set on $! $!(append key to certificate as final file) $ copy = "copy/nolog/noconfirm" $ copy 'workDir'TMPCERT.PEM,'workDir'TMPKEY.PEM 'certDir'_CACERT.PEM $ say "" $! $ type sys$input *********************************** * GENERATING DER (.CRT) VERSION * *********************************** $ set noon $ define /user sys$input sys$command $ define /user openssl_conf 'configFileName' $ OpenSSL x509 -inform PEM -serial -issuer -outform DER - -in 'certDir'_CACERT.PEM -out 'certDir'_CACERT.CRT $ set on $ say "" $! $ type sys$input ********************* * C O M P L E T E * ********************* New CA certificate: $ say "PEM = " + f$search("''certDir'_CACERT.PEM") $ say "CRT = " + f$search("''certDir'_CACERT.CRT") $ say "" $! $ goto caCleanup $! $ serverError: $!'f$verify(0) $ type sys$input *************** * E R R O R * *************** $! $ caCleanup: $ define /user sys$output nl: $ define /user sys$error nl: $ delete 'workDir'*.PEM;* $ define /user sys$output nl: $ define /user sys$error nl: $ set prot=w 'certDir'*.*;* $ set prot=w 'workDir'*.*;* $ if f$type(RANDFILE) .nes. "" then delete/symbol/global RANDFILE $! $ set default 'prevDefault' $! $!-----------------------------------------------------------------------------