# Specify key name used for file names
ca_key_name=root-ca

# Create Private Key
openssl ecparam -genkey -name secp384r1 -out ${ca_key_name}.key

# Create Certificate Signing Request
openssl req -new -sha512 -nodes \
    -key ${ca_key_name}.key \
    -out ${ca_key_name}.csr \
    -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${ca_key_name}"

• Users should adjust the ca_key_name environment variable specifying a value that matches the purpose such as root-ca for a Root CA Certificate.
• Private Key
  • Choice of algorithm such as secp256k1, secp384r1 depends on support by the Java version used with JS7.
• Certificare Signing Request
  • The hash algorithm such as -sha256, -sha512 can be freely chosen.
  • The -subj option specifies the Distinguished Name used for the subject of the CSR and resulting Certificate.
    • The Distinguished Name is a unique identifier frequently using the hierarchy of Country C, State ST, Location L, Organization O, Organizational Unit OU and Common Name CN.
    • For the Private Root CA Certificate the subject and issuer properties of the CSR/Certificate are the same. The minimum requirement is to specify the Common Name CN=<name> where <name> can freely be chosen.
    • For Private CA-signed Certificates the subject property holds the Certificate's Distinguished Name and the issuer property holds the Private CA Certificate's Distinguished Name using different values.
• The following files will be created with this step:
  • The root-ca.key file will hold the Private Key.
  • The root-ca.csr file will hold the Certificate Signing Request.

• The SHA option such as -sha256, -sha384, -sha512 can be freely chosen.
• The -days option specifies the validity period of the CA Certificate that should be longer than the validity period of individual certificates signed by the CA later on.
• The -signkey option specifies the location of the Private Key file created from the previous step.
• The -in option specifies the location of the Certificate Signing Request file created from the previous step.
• The -out option specifies the location of the resulting Certificate file.
• The -extfile option specifies the Basic Constraint CA:TRUE which is required for a CA Certificate. Key Usage is limited to signing certificates.
• The following files will be created with this step:
  • The root-ca.crt file will hold the CA Certificate.

# Specify key name used for file names
server_name=myhost

# Create Private Key
openssl ecparam -genkey -name secp384r1 -out ${server_name}.key

# Create Certificate Signing Request
openssl req -new -sha512 -nodes \
    -key ${server_name}.key \
    -out ${server_name}.csr \
    -subj "/C=DE/ST=Berlin/L=Berlin/O=SOS/OU=IT/CN=${server_name}" 

# Specify server for which the certificate should be created
server_name=myhost

# Create and sign Server Certificate
openssl x509 -req -sha512 -days 3652 \
    -in ${server_name}.csr \
    -CA root-ca.crt \
    -CAkey root-ca.key \
    -CAcreateserial \
    -out ${server_name}.crt \
    -extfile <(printf 'subjectAltName=DNS:%s\nkeyUsage=critical,keyEncipherment,digitalSignature\nextendedKeyUsage=serverAuth,clientAuth\n' "${server_name}")

• The following files will be created for the given server:
  • myhost.crt: the Server Certificate
• For operation with JS7 JOC Cockpit, Controller and Agents users can add
  • the Private Key and Server Certificate to a keystore.
  • the Root CA Certificate to a truststore.
  • For details see JS7 - How to add SSL TLS Certificates to Keystore and Truststore