After generating a digital certificate for the CA, the server, and the client (optional),
you must identify for the OpenSSL
client application one or more CAs that are to be trusted. This list is called a
trust list.
Note: Starting in the third maintenance
release of SAS, you can use the SAS Deployment Manager after Installation
to add to the Trusted CA Bundle of Certificates.
If there is only one CA to trust, in the client application, specify the name of the
file that contains the OpenSSL CA digital certificate.
If multiple CAs are to be trusted, you can copy and paste into a new file the contents
of all the digital certificates of CAs to be trusted by the client application. These
CAs can be primary, intermediate, or root certificates. They can be added to the file
in any order. To manually create a new trust list, use the following template:
(Your Server Certificate - ssl.crt)
-----BEGIN CERTIFICATE-----
<PEM encoded certificate>
-----END CERTIFICATE-----
(Your Intermediate CA Certificate(s))
-----BEGIN CERTIFICATE-----
<PEM encoded certificate>
-----END CERTIFICATE-----
(Your Root CA Certificate)
-----BEGIN CERTIFICATE-----
<PEM encoded certificate>
-----END CERTIFICATE-----
Because the digital certificate is encoded, it is unreadable. Therefore, the content
of the digital certificate
in this example is represented as <PEM
encoded certificate>
. The content of each digital
certificate is delimited using a -----BEGIN CERTIFICATE-----
and -----END
CERTIFICATE-----
pair. All text outside the delimiters
is ignored. Therefore, you might not want to use delimited lines for
descriptive comments.
Generally, OpenSSL returns
.pem files, CA's return .crt files (Microsoft returns .cer files).
Instead of manually cutting and pasting these files together (regardless
of your file extension), you can use the UNIX cat
command to concatenate the certificate authority files together. For example, you
can take an intermediate authority certificate file, a root authority certificate
file, and primary certificate file and concatenate them into a single PEM file. All
the certificates must be encoded in PEM format and in ASCII format.
An example of concatenating
certificates is as follows:
cat server.pem > certchain.pem
cat intermediateCA.pem >> certchain.pem
cat rootCA.pem >> certchain.pem
Note: You can place these files
in any order.
Because the digital certificate is encoded, it is unreadable. To view the file contents,
you can use the following
OpenSSL commands for your file type:
openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.cer -text -noout
openssl x509 -in cert.crt -text -noout
Use the following OpenSSL command to view a DER encoded Certificate:
openssl x509 -in certificate.der -inform der -text -noout