Examples: Creating and Implementing Self-Signed Certificates for SPD Server

Overview
Creating the Self-Signed Certificates
Client Certificate
Server Certificates for a UNIX SPD Server
Server Certificates for a Windows SPD Server
Configuring Your UNIX SPD Server and Client to Use the Self-Signed Server Certificates
Configuring a UNIX Server Certificate
Configuring a UNIX Client Certificate
Configuring Your Windows SPD Server and Client to Use the Self-Signed Server Certificates
Configuring a Windows Server Certificate
Configuring a Windows Client Certificate

Overview

These examples use OpenSSL on the Linux platform to create self-signed server certificates for secure sockets communication between an SPD Server and an SPD Server SAS client. OpenSSL enables you to create self-signed server certificates for any UNIX or Windows configuration. This example does not describe OpenSSL. For information about OpenSSL, see https://www.openssl.org/docs/.
A self-signed server certificate includes three pieces: a Certificate of Authority (CA), a server certificate, and a server private key file. The CA is referred to as the client certificate. The CA enables the client to initiate secure sockets communication with the server. The server accepts the communication and uses SSL options to validate the client certificate. The server then uses SSL options to locate the server certificates. A CA can be used on any client on any host. The server certificate and key file are host-specific.
This example creates a single client certificate. Then it shows how to create self-signed server certificates for a UNIX SPD Server host and a Windows SPD Server host that are signed with the client certificate. Finally, it shows how to implement the client and server certificates in their respective host environments. The host-specific server certificates are created on the same Linux host as the client certificate.
The certificates in these examples are created for the following organization:
Company information:
Name: SSL Testing
Country: US
State: North Carolina
Locality: Cary
Organization: ABCD
Common Name: Bob Smith

Creating the Self-Signed Certificates

Client Certificate

Follow these steps to create the client certificate. To follow along, modify the information for your SPD Server installation. This client certificate can be used for both a Windows client and a UNIX client
  1. On the Linux system, create working directory “myssl” to create your certificates. The working directory will contain the client and server certificates and enable you to modify the default openssl.cnf configuration file. Change your directory to your myssl working directory for all further work.
  2. Make the following OpenSSL subdirectories and the flat file database files to keep track of signed certificates:
    >mkdir certs  crl newcerts private
>touch index.txt
>echo 1000 > serial
  3. Locate where OpenSSL is installed on your computer. The location is /etc/pki/tls for this example:
    >openssl version –d
OPENSSLDIR: "/etc/pki/tls"
  4. Copy the OpenSSL configuration file to your myssl working directory and modify the configuration file for your environment.
    > cp /etc/pki/tls/openssl.cnf .
    Edit the openssl.cnf file as follows:
    • Modify the line containing “Where everything is kept” to be the full path to your myssl working directory.
    • Modify the line containing “default_md = sha1” to “default_md = sha256”.
  5. You are now ready to create certificates in your myssl working directory. First, generate a private key for your Certificate of Authority. The name of the private key file for this example is “private/TestingCA.key.pem”.
    >openssl genrsa –aes256 –out private/TestingCA.key.pem 4096
    You will be prompted to enter and then verify a pass phrase. Enter a secret password and save it for later use.
    Enter pass phrase for private/TestingCA.key.pem:
  6. Next, execute the following command to create the client certificate with your private key file. The name of the client certificate is “certs/TestingCA.pem”. This will be the “root” CA. 
    > openssl req -config openssl.cnf -key private/TestingCA.key.pem -new -x509 
-days 7300 -sha256 -extensions v3_ca -out certs/TestingCA.pem
    You will be asked to enter the following information. Substitute information for your configuration. For the pass phrase, enter your secret password from step 5.
    Tip
    Continue to save this password. You will need it later. 
    Enter pass phrase for private/TestingCA.key.pem: 
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:North Carolina
Locality Name (eg, city) [Default City]:Cary
Organization Name (eg, company) [Default Company Ltd]:SSL Testing
Organizational Unit Name (eg, section) []:ABCD
Common Name (eg, your name or your server's hostname) []:Bob Smith
Email Address []: <cr>
    You have finished creating the client certificate. You should have the following client certificate in your myssl working directory: 
    certs/TestingCA.pem
    You can look at this “root” CA using the following command:
    > openssl x509 -noout -text -in certs/TestingCA.pem

Server Certificates for a UNIX SPD Server

After creating the client certificate, follow these steps to create a server certificate and server key file for a UNIX SPD Server.
Assume the following SPD Server server installation:
Host name: laxbox.unx.sslt.com
  1. Using OpenSSL in the myssl working directory, submit a certificate request to generate a new key for the server certificate. Name the server key file “private/TestingServerLax.key.pem”. Name the request file “TestingServerLax.req”.
    >openssl req -config openssl.cnf -new -newkey rsa:1024 
-keyout private/TestingServerLax.key.pem -out TestingServerLax.req –nodes
    You will be asked to enter the following information. Substitute information for your configuration. 
    Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:North Carolina
Locality Name (eg, city) [Default City]:Cary
Organization Name (eg, company) [Default Company Ltd]:SSL Testing
Organizational Unit Name (eg, section) []:ABCD
Common Name (eg, your name or your server's hostname) []:laxbox.unx.sslt.com
Email Address []: <cr>
Please enter the following 'extra' attributes
A challenge password []: <cr>
An optional company name []:<cr>
  2. Create (sign) the new server certificate with the “root” CA and the certificate request.
    >openssl ca -config openssl.cnf -cert certs/TestingCA.pem 
-keyfile private/TestingCA.key.pem -in TestingServerLax.req 
-out certs/TestingServerLax.pem
    You will be asked to enter a pass phrase. Enter the secret password that you used to create your client certificate.
    Enter pass phrase for private/TestingCA.key.pem:
    If everything is in order, you will be prompted as follows. Enter Y at each prompt to sign and commit the certificate.
    Sign the certificate? [y/n]:y                                
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
  3. Verify the server certificate as follows:
    > openssl verify -verbose -CAfile certs/TestingCA.pem certs/TestingServerLax.pem
You have finished creating the self-signed certificates. You should have the following server certificate and private server key file in your myssl working directory:
certs/TestingServerLax.pem 
private/TestingServerLax.key.pem
Note: Your server certificate can be used only if your server is running on laxbox.unx.sslt.com. You will need additional server certificates that use the same “root” CA for any other server hosts in your configuration. Repeat the steps above for any additional UNIX SPD Server hosts in your configuration.

Server Certificates for a Windows SPD Server

The process for creating self-signed certificates for Windows is the same as it is for UNIX with one difference. Unlike a server certificate for UNIX, a server certificate for Windows must contain the server certificate and server private key file in the same file. This file is called a PKCS#12 file. The file extension for PKCS#12 files is .p12 or .pfx. You can use OpenSSL to convert a UNIX server certificate and key file into a PKCS#12 file.
Follow these steps to create the self-signed server certificates for the Windows SPD Server.
Assume the following SPD Server installation:
Host name: winbox.win.sslt.com
  1. Using OpenSSL in the myssl working directory, submit a certificate request to generate a new key for the Windows server certificate. Name the server key file “private/TestingServerWin.key.pem”. Name the request file “TestingServerWin.req”.
    >openssl req -config openssl.cnf -new -newkey rsa:1024 
-keyout private/TestingServerWin.key.pem -out TestingServerWin.req –nodes
    You will be asked to enter the following information. Substitute information for your configuration. 
    Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:North Carolina
Locality Name (eg, city) [Default City]:Cary
Organization Name (eg, company) [Default Company Ltd]:SSL Testing
Organizational Unit Name (eg, section) []:ABCD
Common Name (eg, your name or your server's hostname) []:winbox.win.sslt.com
Email Address []: <cr>
Please enter the following 'extra' attributes
A challenge password []: <cr>
An optional company name []:<cr>
  2. Create (sign) the new server certificate with the “root” CA and the certificate request.
    >openssl ca -config openssl.cnf -cert certs/TestingCA.pem 
-keyfile private/TestingCA.key.pem -in TestingServerWin.req 
-out certs/TestingServerWin.pem
    You will be asked to enter a pass phrase. Enter the secret password that you used to create your client certificate.
    Enter pass phrase for private/TestingCA.key.pem:
    If everything is in order, you will be prompted as follows. Enter Y at each prompt to sign and commit the certificate.
    Sign the certificate? [y/n]:y                                
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
  3. Verify the server certificate as follows:
    > openssl verify -verbose -CAfile certs/TestingCA.pem certs/TestingServerWin.pem
Note: Your server certificate can only be used if your server is running on winbox.win.sslt.com. You will need additional server certificates that use the same “root” CA for any other server hosts in your configuration. Repeat the steps above for any additional Windows server hosts in your configuration.
Use the following OpenSSL command to create a .p12 file that contains the Windows server certificate and key file. The command creates a .p12 file named “mywin.p12”.
>openssl pkcs12 -export -in certs/TestingServerWin.pem
-inkey private/TestingServerWin.key.pem -export -out mywin.p12
You will be asked to enter and verify an export password as follows. Enter any secret password and save it for later use.
Enter Export Password:

Configuring Your UNIX SPD Server and Client to Use the Self-Signed Server Certificates

Configuring a UNIX Server Certificate

To configure a UNIX SPD Server to use your self-signed certificates, set the following TLS options in the spdsserv.parm server parameter file: 
SSLSECURE="YES";
SSLCALISTLOC="<full-path-to-myssl>/certs/TestingCA.pem";
SSLCERTLOC="<full-path-to-myssl>/certs/TestingServerLax.pem"; 	
SSLPVTKEYLOC="<full-path-to-myssl>/private/TestingServerLax.key.pem";
SSLSECURE=YES instructs the server to accept secure connections only. SSLCALISTLOC= specifies the path to the client certificate. SSLCERTLOC= specifies the path to the server certificate. SSLPVTKEYLOC= specifies the path to server’s private key file.

Configuring a UNIX Client Certificate

To configure an SPD Server SAS client that runs on UNIX to make a secure connection, set the following options in the SAS session. Set the options before you assign an SASSPDS LIBNAME statement:
options set=SSLCALISTLOC="<full-path-to-myssl>/certs/TestingCA.pem";
%let SPDSRSSL=YES;
The SSLCALISTLOC= system option specifies the path to the client certificate. The SPDSRSSL= macro variable requests that a secure connection be made.

Configuring Your Windows SPD Server and Client to Use the Self-Signed Server Certificates

Windows servers and clients use the Windows Certificate Store to locate the server and client certificates.

Configuring a Windows Server Certificate

This example uses the Microsoft Management Console (MMC) on a Windows 10 computer to register the server certificate.
  1. Copy the mywin.p12 file to a location that is accessible to your Windows SPD Server.
  2. Add the mywin.p12 file to the Certificate Store as a private certificate as follows:
    1. Run “mmc.exe” to open the console.
    2. Select Filethen selectAdd/Remove Snap-in.
    3. Under Available snap-ins, highlight Certificates, and click Add.
    4. Select Computer account. Click Next.
    5. Select Local computer. Click Finish.
    6. In the Add or Remove Snap-ins window, click OK.
    7. In the Console window, select Certificates (Local Computer) in the Console Root panel.
    8. Under Logical Store Name, right-click Personalthen selectAll Tasksthen selectImport.
    9. In the Certificate Import wizard, click Next.
    10. In the File to Import window, enter the full path to your mywin.p12 file in File Name. Or click Browse to locate the file.Then, click Next.
    11. You will be prompted for a password. Enter your export password. Check Include all extended properties. Then, click Next.
    12. In the Certificate Store, the following options should be highlighted:
      • Place all certificates in the following store
      • certificate store: Personal
      Click Next.
    13. Verify the information in Completing the Certificate Import Wizard Settings. Click Finish.
    14. A dialog box titled “The import was successful” indicates that you have successfully added the server PKCS#12 file. Click OK.
    15. Double-click first Personal, then Certificates under Logical Store Name to see your certificate. The name should be “winbox.win.sslt.com”.
    16. Close the console. You do not have to select Save the console settings. You have finished adding your server certificate to the Certificate Store.
To configure your Windows SPD Server to use the server certificate, set the following TLS options in the spdsserv.parm server parameter file: 
SSLSECURE="YES"; 
SSLCERTSUBJ="winbox.win.sslt.com"
SSLSECURE=YES instructs the server to accept secure connections only. SSLCERTSUBJ= is set to the name of your personal server certificate (winbox.winsslt.com).

Configuring a Windows Client Certificate

Follow these steps to add the client certificate to the Certificate Store.
  1. Copy your certs/TestingCA.pem file to a location that is accessible to your Windows client computer.
  2. Add the client certificate to your Trusted Root Certificate Authorities using the MMC as follows:
    1. Run “mmc.exe” on your PC to open the console.
    2. Select Filethen selectAdd/Remove Snap-in.
    3. Under Available snap-ins, highlight Certificates. Then, click Add.
    4. Select Computer account. Click Next.
    5. Select Local computer. Click Finish.
    6. In the Add or Remove Snapins window, click OK.
    7. Back on the Console window, select Certificates (Local Computer) in the Console Root panel.
    8. Under Logical Store Name, double-click Trusted Root Certification Authorities.
    9. Under Object Type, right-click Certificatesthen selectAll Tasksthen selectImport.
    10. In the Certificate Import wizard, click Next.
    11. In the File to Import window, enter the full path to where you copied TestingCA.pem in File Name. Or, click Browse to locate the file. Then, click Next.
    12. In the Certificate Store, the following options should be highlighted:
      • Place all certificates in the following store
      • certificate store: Trusted Root Certification Authorities
      Click Next.
    13. Verify the information in Completing the Certificate Import Wizard Settings. Click Finish.
    14. A dialog box titled The import was successful indicates that you have successfully added the client certificate. Click OK.
    15. Double-click first Trusted Root Certification, and then Certificates under Logical Store Name to see your certificate. The name should be the common name of the certificate specified in step Step 6 when you created your certificate.
    16. Close the console. You do not have to select Save the console settings. You have finished adding the self-signed client certificate to the Certificate Store.
To configure the SAS session on a Windows computer to make a secure connection to SPD Server, set the SPDSRSSL macro variable. Set the macro variable before you assign an SASSPDS LIBNAME statement.
%let SPDSRSSL=YES;
Copyright © SAS Institute Inc. All Rights Reserved.
Last updated: February 3, 2017