hcmds64ssltool command

Ops Center Automator User Guide

Version
10.8.x
File Size
3.6 MB
Audience
anonymous
Part Number
MK-99AUT001-14

The hcmds64ssltool command creates a private key, CSR, self-signed certificate, and the self-signed certificate content file that are required for an SSL connection.

The created files are used for the following purposes:

  • The CSR is submitted to CA to obtain the SSL server certificate. You can build an SSL connection environment by combining the obtained SSL server certificate with the private key.
  • You can build an SSL connection environment by combining the self-signed certificate and the private key. However, you should use this environment for test purposes because the security level is low.
  • You can verify the information registered in the self-signed certificate by viewing the self-signed certificate content file.

The syntax is:

hcmds64ssltool [/key private-key-file] [/csr certificate-signed-request-file] [/cert self-signed-certificate-file] [/certtext self-signed-certificate-content-file] [/validity expiration-date] [/dname distinguished-name(DN)] [/sigalg RSA-server-certificate-signature-algorithm] [/eccsigalg ECC-server-certificate-signature-algorithm] [/ecckeysize ECC-private-key-size] [/ext extension-information-for-the-X.509-certificate]

where:

  • /key specifies the absolute path of the private key file that is created. If you omit this option, the files are output to the default output destination path with the file name httpsdkey.pem (for RSA) and ecc-httpsdkey.pem (for ECC). The default output destination when you omit this option is as follows:
    Common-Component-installation-folder\uCPSB11\httpsd\conf\ssl\server
  • /csr specifies the absolute path of the certificate signing request file that is created. If you omit this option, the files are output to the default output destination path with the file name httpsd.csr (for RSA) and ecc-httpsd.csr (for ECC). The default output destination when you omit this option is as follows:
    Common-Component-installation-folder\uCPSB11\httpsd\conf\ssl\server
  • /cert specifies the absolute path of the self-signed certificate file that is created. If you omit this option, the files are output to the default output destination path with the file name httpsd.pem (for RSA) and ecc-httpsd.pem (for ECC). The default output destination when you omit this option is as follows:
    Common-Component-installation-folder\uCPSB11\httpsd\conf\ssl\server
  • /certtext specifies the absolute path of the self-signed certificate content file that is created. If you omit this option, the files are output to the default output destination path with the file name httpsd.txt (for RSA) and ecc-httpsd.txt (for ECC). The default output destination when you omit this option is as follows:
    Common-Component-installation-folder\uCPSB11\httpsd\conf\ssl\server
  • /validity specifies the expiry date of the self-signed certificate in the number of days. If this option is omitted, the expiry date becomes 3,650 days. A specifiable value is a number of days until December 31, 9999.
  • /sigalg specifies the signature algorithm of the RSA certificate as SHA256withRSA, or SHA1withRSA. If you omit this option, the default of SHA256withRSA is used.
  • /eccsigalg specifies the signature algorithm of the ECC certificate as SHA512withECDSA, SHA384withECDSA, SHA256withECDSA, or SHA1withECDSA. If you omit this option, the default of SHA384withECDSA is used.
  • /ecckeysize specifies the key size of the private key for the ECC server certificates in bits as 256 or 384. If you omit this option, the default of 384 is used.
  • /ext specifies the extension information for the X.509 certificate. To set the SAN (Subject Alternative Name) on the self-signed certificate and certificate signing request, specify this option. The specification method is based on the /ext option of the keytool command in Java. Note, however, that the only extension that can be specified in Ops Center Automator is SAN. If you specify the /ext option multiple times, the first specification takes effect.

    The following is an example of specifying the extension information.

    • To specify www.example.com as the host name:
      hccmds64ssltool /ext san=dns:www.example.com
    • To specify www.example.com and www.example.net as multiple host names:
      hccmds64ssltool /ext san=dns:www.example.com, dns:www.example.net
  • /dname specifies the identification name (DN) written in the SSL server certificate in the attribute-type=attribute-value format. You can specify a value with multiple attribute types by separating with a comma (,). The attribute-type is case insensitive. The attribute-value cannot include a double quotation mark (") or backslash (\).

    Follow RFC 2253 for character escapes.

    Escape the following characters with a backslash (\).

    • + , ; < =>
    • A space at the beginning of the character string
    • A space at the end of the character string
    • A hash mark (#) at the beginning of the character string

    If you omit this option, you will input the attribute values by response input according to the prompt displayed when you run the command.

    The following table describes attribute types that can be specified in this option.

    Table. List of attribute types that can be specified in the identification name (DN)
    Attribute type Description Prompt displayed Value
    CN Common Name Server Name Identification name of the Ops Center Automator server such as a host name, IP address, and domain name#
    OU Organizational Unit Name Organizational Unit Organization name of a small unit such as a department or division name
    O Organization Name Organization Name Organization name of the company or organization#
    L Locality Name City or Locality Name of the city or locality.
    ST State or Province Name State or Province Name of the state or province
    C Country Name Two-character country code Country code
    #: Required when you use a response input.

    The following shows an example of a response input:

    Enter  Server  Name  [default=MyHostname]:example.com
    Enter Organizational Unit:Automation Administration
    Enter Organization Name [default=MyHostname]:HITACHI
    Enter your City or Locality:Sanfrancisco
    Enter your State or Province:California
    Enter your two-character country-code:US
    Is CN=example.com,OU=Automation Administration,O=HITACHI,L=Sanfrancisco,ST=California,C=US correct? (y/n) [default=n]:y
    

    if you made a mistake when inputting a value, enter n at the confirmation to do the response input again.

Remarks

If the attribute type CN of the SSL server certificate does not match the host name, IP address or domain name specified as the connection target from the Web browser to the Ops Center Automator server, a server name mismatch warning or error occurs.