OpenVMS Source-Code Demos

create_certs_alt.com

$!===============================================================================================================================
$! title  : MYSQL055_ROOT:[certs]CREATE_CERTS_ALT.COM
$! author : Neil Rieck
$! created: 2018-05-07
$! notes  :
$! 1) certificate authority (CA) routines should never be run more than once
$! 2) if you run CA routines now then the resulting ca-cert.pem will need to be redistributed to end clients
$! 3) The newest rules for OpenSSL-1.0 and up require a different CN between CA-certs and server-certs
$! 4) OpenVMS usually creates text files with "Record attributes: Carriage return carriage control" but new
$!    fangled internet files should be converted to Stream_LF
$! 5) here, the PIPE command is only used to properly process the ">" character in the OpenSSL command line
$! 6) on newer OpenVMS systems you may find two OpenSSL environments
$!===============================================================================================================================
$ say :== write sys$output						! VMS only
$ ask :== inquire/nopunct						! VMS only
$ say "-i-script: ",f$environment("PROCEDURE")				! VMS only
$ myterm = f$trnlnm("SYS$COMMAND")					! VMS only
$ set proc/parse_style=extended						! VMS only
$ fdl = "File; Organization Sequential; Record; Format Stream_LF"	! VMS only
$ on error then goto OOPS						! VMS only
$ if f$search("ssl1$exe:openssl.exe") .nes. ""				! VMS only
$  then									! VMS only
$    openssl := $ssl1$exe:openssl					! VMS only
$  else									! VMS only
$    openssl := $ssl$exe:openssl					! VMS only
$ endif									! VMS only
$!===============================================================================================================================
$ openssl version							!
$!
$ say "----------------------------------------------------------------"
$ say "CAVEATS:
$ say "1) certificate authority (CA) routine must only be run once"
$ say "2) if you run CA routines now then ca-cert.pem will need to be"
$ say "   redistributed to remote clients"
$ say "3) Newest rules for OpenSSL-1.0 and up require a different CN"
$ say "   for ca-cert.pem and server-cert.pem so type carefully"
$ say "----------------------------------------------------------------"
$ say "recommendation: you should now type: Y"
$ ask choice "skip CA routines? (N/Y, default=Y) "
$ choice = f$edit(choice,"UPCASE")
$ if (choice.nes."N") then goto skip_ca
$!==================================================
$!	CA (certificate authority) routines
$!==================================================
$ say "================================================"
$ say "-i-executing CA (certificate authority) routines"
$ say "================================================"
$!
$!	create a "certificate authority key"
$!
$ define/user sys$input 'myterm'			! vms only
$ pipe openssl genrsa 2048 > ca-key.pem
$ convert/fdl="''fdl'" ca-key.pem [];			! vms only
$!
$!	create a "certificate authority cert"
$!
$ define/user sys$input 'myterm'			! vms only
$ pipe openssl req -new -x509 -nodes -days 3600 -key ca-key.pem > ca-cert.pem
$ convert/fdl="''fdl'" ca-cert.pem [];			! vms only
$!
$skip_ca:
$!==================================================
$!	standard certificate routines
$!==================================================
$ say "============================"
$ say "-i-executing server routines"
$ say "============================"
$!
$!	create "server key" and "server cert request"
$!
$ define/user sys$input 'myterm'			! vms only
$ pipe openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem 'extra' > server-req.pem
$ convert/fdl="''fdl'" server-req.pem [];
$!
$!	use "certificate authority cert" to sign the "server cert request"
$!
$ pipe openssl x509 -req -in server-req.pem -days 3600 -"CA" ca-cert.pem -"CAkey" ca-key.pem -set_serial 01 > server-cert.pem
$ convert/fdl="''fdl'" server-cert.pem [];
$!
$!	adios
$!
$ say "======="
$ say "-i-done"
$ say "======="
$ ask choice "cleanup this directory? (N/Y, default=N) "
$ choice = f$edit(choice,"UPCASE")
$ if (choice.nes."Y") then goto skip_cleanup
$	Purge/NoLog/noconf *.pem			! remove older versions
$	Rename/NoLog/noconf *.pem ;1			! rename current versions to "1"
$skip_cleanup:
$ goto fini
$OOPS:
$    write sys$output "hit OOPS (not good)"
$fini:
$    exit

left hand Back to OpenVMS
left hand Back to OpenVMS Demo Index
home Back to Home
Neil Rieck
Kitchener - Waterloo - Cambridge, Ontario, Canada.