Using OpenSSL to Create a Certificate Authority Key and Secure iFIX WebSpace Connections

belchertownshuffleAI and Robotics

Nov 21, 2013 (3 years and 6 months ago)

211 views

Using OpenSSL to Create a
Certificate Authority Key
and

Secure
iFIX
WebSpace Connections


The iFIX WebSpace requires that the certificate be in PEM
(
Privacy Enhanced Mail
)

format.

PEM is an
early standard for securing the transmission of electronic information.

An
open source SSL toolkit,
OpenSSL,
allows you to create a Certificate Authority Key
and

secure your iFIX WebSpace connections.
OpenSSL can
decrypt, encrypt,

sign
and verif
y

CMS documents.

CMS
(Cryptographic Message Syntax)
is
based on the syntax of PKCS#7

(Public
-
Key C
ryptography
S
tandards
)
, which in turn is based on
PEM.

To create a Certificate Authority Key using OpenSSL, follow the steps in the example below.

(1)

To downloa
d
OpenSSL
for Windows, browse to
http://slproweb.com/products/Win32OpenSSL.html

and download the latest version. In this
example we are using version 1.0.1c

(
Win32OpenSSL_Light
-
1_0_1c.exe
).

(2)

Install Win32 OpenSSL for Windows, keeping everything at their default. During the install, you
might receive an error that Microsoft

Visual C++ 2008 Redistributables are not detected on your
system. If this should occur, download and install the Microsoft

Visual C++ 2008 Redistributables
located at
http://www.microsoft.com/en
-
us/download/details.aspx?id=29

.

(3)

Open a command prompt and browse to the OpenSSL
-
Win32
\
bin folder.

(4)

Type
open
ssl genrsa
-
out ca.key 1024

to generate an RSA
private k
ey

with an output filename of
ca.key

and a private key size of 1024 bits.

If you receive an error “
WARNING: can’t open config
file: /usr/local/ssl/openssl.cnf
”, type
set OPENSSL_CONF=C:
\
openssl
-
win32
\
bin
\
openssl.cfg

and try this step again.

(5)

Type
openssl req

new

key ca.key
-
out ca.csr

to generate a new certificate request file using
the RSA private key created in step 4 above.

In creating the CSR, you will be prompted to answer
several questions to fi
ll in the request.

See Figure 1 below.

Note:

In this step, be sure to enter the iFIX WebSpace server name for Common Name. The
example uses a server name “Dale”.






Figure 1



(6)

Using
Notepad, c
reate
a
t “
ca.cfg
” file
. Paste the following into a new text file and save as
ca.cfg

by selecting
Save As
,
entering

ca.cfg


into the File Name field(including the double
-
quotes), and
save it into the
C:
\
openssl
-
win32
\
bin

folder:



extensions

= x509v3


[ x509v3 ]


subjectAltName = email:copy


basicConstraints = CA:true,pathlen:0


nsComment = "ACME Anvils CA"


nsCertType = sslCA


(7)

Back at the command prompt, t
ype
openssl x509

req

extfile ca.cfg

days 1825

signkey
ca.key

in ca.csr

out ca.crt

to sign the certificate request, set its lifespan to 1825 days, and
include the certificate ext
ensions created in step 6 as well as the CSR created in step 5.

(8)

Open
ca.cfg

in Notepad and perform a Save As to create a new file n
amed
server.cfg
. Make sure
to place it into the
C:
\
openssl
-
win32
\
bin folder
.

(9)

Make the following changes to
server.cfg

and save (see Figure 2):


a. Remove
basicConstraints

line

b. Modify
nscomment

to reflect your Company Name

c. Change
nsCertType

to “server”




Figure 2


(10)


Back a
t the command prompt, type
echo 01 > ca.serial

to create a file that will hold the
certificate serial numbers.

(11)


Type
openssl genrsa

out server.key 1024

to gene
rate an RSA
private k
ey

with an output
filename of
server.key

and a private key size of 1024 bits.

(12)


Type
openssl req

new

key server.key

out server.csr

to generate a new certificate request
file using the RSA private key created in step 11. In creating t
he CSR, you will be prompted to
answer several questions to fill in the request. Refer to the example in Figure 3.


Note:

In this step, be sure to enter the iFIX WebSpace server name for Common Name. The
example uses a server name “Dale”.





Figure 3


(13)


Type
openssl x509

req

extfile server.cfg

days 1825

CA ca.crt

CAkey ca.key


CAserial
ca.serial

in server.csr

out server.crt

to sign the server certificate request using the
ca

certificate

and

private key created in previous steps. Lifespan is set for 1825 days.

(14)


Copy the
ca.crt
,
server.key

and
server.crt

files to
a
privileged directory such as

C:
\
Windows

on
the iFIX WebSpace server
.

(15)


On the iFIX WebSpace server, open the iFIX WebSpace Administration dialog box. Choose
Tools>Hosts Options>Security tab. In the Transport drop down box, choose SSL. In the SSL
Certificate field box, browse to the “server.crt” file in the Windows directory
. Check the “Notify
users when connections are secure” checkbox. Click OK.

See figure 4.




Figure 4



(16)


From a remote node, establish a connection with the iFIX WebSpace server. Note the Security
Alert dialog

box (see Figure 5) and click YES.




Figure 5



(17)


You will then receive a security connection notification (see Figure 6). Click OK.




Figure 6




(18)


Finally, logon to your i
FIX WebSpace server. Your iFIX WebSpace connection and session are
now fully encrypted using 56
-
bit encryption.