The hcmds64ssltool command creates a private key, CSR, self-signed certificate, and the self-signed certificate content file that are required for an SSL connection.
The created files are used for the following purposes:
- The CSR is submitted to CA to obtain the SSL server certificate. You can build an SSL connection environment by combining the obtained SSL server certificate with the private key.
- You can build an SSL connection environment by combining the self-signed certificate and the private key. However, you should use this environment for test purposes because the security level is low.
- You can verify the information registered in the self-signed certificate by viewing the self-signed certificate content file.
The syntax is:
hcmds64ssltool [/key private-key-file] [/csr certificate-signed-request-file] [/cert self-signed-certificate-file] [/certtext self-signed-certificate-content-file] [/validity expiration-date] [/dname distinguished-name(DN)] [/sigalg RSA-server-certificate-signature-algorithm] [/eccsigalg ECC-server-certificate-signature-algorithm] [/ecckeysize ECC-private-key-size] [/ext extension-information-for-the-X.509-certificate]
where:
- /key specifies the absolute path of the private key file that is created. If you omit this option, the files are output to the default output destination path with the file name httpsdkey.pem (for RSA) and ecc-httpsdkey.pem (for ECC). The default output destination when you omit this option is as follows:
Common-Component-installation-folder\uCPSB11\httpsd\conf\ssl\server
- /csr specifies the absolute path of the certificate signing request file that is created. If you omit this option, the files are output to the default output destination path with the file name httpsd.csr (for RSA) and ecc-httpsd.csr (for ECC). The default output destination when you omit this option is as follows:
Common-Component-installation-folder\uCPSB11\httpsd\conf\ssl\server
- /cert specifies the absolute path of the self-signed certificate file that is created. If you omit this option, the files are output to the default output destination path with the file name httpsd.pem (for RSA) and ecc-httpsd.pem (for ECC). The default output destination when you omit this option is as follows:
Common-Component-installation-folder\uCPSB11\httpsd\conf\ssl\server
- /certtext specifies the absolute path of the self-signed certificate content file that is created. If you omit this option, the files are output to the default output destination path with the file name httpsd.txt (for RSA) and ecc-httpsd.txt (for ECC). The default output destination when you omit this option is as follows:
Common-Component-installation-folder\uCPSB11\httpsd\conf\ssl\server
- /validity specifies the expiry date of the self-signed certificate in the number of days. If this option is omitted, the expiry date becomes 3,650 days. A specifiable value is a number of days until December 31, 9999.
- /sigalg specifies the signature algorithm of the RSA certificate as SHA256withRSA, or SHA1withRSA. If you omit this option, the default of SHA256withRSA is used.
- /eccsigalg specifies the signature algorithm of the ECC certificate as SHA512withECDSA, SHA384withECDSA, SHA256withECDSA, or SHA1withECDSA. If you omit this option, the default of SHA384withECDSA is used.
- /ecckeysize specifies the key size of the private key for the ECC server certificates in bits as 256 or 384. If you omit this option, the default of 384 is used.
- /ext specifies the extension information for the
X.509 certificate. To set the SAN (Subject Alternative Name) on the self-signed
certificate and certificate signing request, specify this option. The
specification method is based on the /ext option of the keytool
command in Java. Note, however, that the only extension that can be specified in
Ops Center Automator is SAN. If you specify the /ext option
multiple times, the first specification takes effect.
The following is an example of specifying the extension information.
- To specify www.example.com as the host
name:
hccmds64ssltool /ext san=dns:www.example.com
- To specify www.example.com and www.example.net as multiple
host
names:
hccmds64ssltool /ext san=dns:www.example.com, dns:www.example.net
- To specify www.example.com as the host
name:
- /dname specifies the identification name (DN) written in the SSL server certificate in the attribute-type=attribute-value format. You can specify a value with multiple attribute types by separating with a comma (,). The attribute-type is case insensitive. The attribute-value cannot include a double quotation mark (") or backslash (\).
Follow RFC 2253 for character escapes.
Escape the following characters with a backslash (\).
- + , ; < =>
- A space at the beginning of the character string
- A space at the end of the character string
- A hash mark (#) at the beginning of the character string
If you omit this option, you will input the attribute values by response input according to the prompt displayed when you run the command.
The following table describes attribute types that can be specified in this option.
Table. List of attribute types that can be specified in the identification name (DN) Attribute type Description Prompt displayed Value CN Common Name Server Name Identification name of the Ops Center Automator server such as a host name, IP address, and domain name# OU Organizational Unit Name Organizational Unit Organization name of a small unit such as a department or division name O Organization Name Organization Name Organization name of the company or organization# L Locality Name City or Locality Name of the city or locality. ST State or Province Name State or Province Name of the state or province C Country Name Two-character country code Country code #: Required when you use a response input. The following shows an example of a response input:
Enter Server Name [default=MyHostname]:example.com Enter Organizational Unit:Automation Administration Enter Organization Name [default=MyHostname]:HITACHI Enter your City or Locality:Sanfrancisco Enter your State or Province:California Enter your two-character country-code:US Is CN=example.com,OU=Automation Administration,O=HITACHI,L=Sanfrancisco,ST=California,C=US correct? (y/n) [default=n]:y
if you made a mistake when inputting a value, enter n at the confirmation to do the response input again.
Remarks
If the attribute type CN of the SSL server certificate does not match the host name, IP address or domain name specified as the connection target from the Web browser to the Ops Center Automator server, a server name mismatch warning or error occurs.