Converts a server certificate request to a CA- (certificate authority) signed certificate.
The utility is located in:
(UNIX) $SYBASE/$SYBASE_OCS/bin.
(Windows) the utility is certarthr.exe, located in %SYBASE%\%SYBASE_OCS%\bin.
certauth [-r] [-C caCert_file] [-Q request_filename] [-K caKey_filename] [-N serial_number [-O SignedCert_filename] [-P caPassword] [-s start_time] [-T valid_time]
Or
certauth -v
when specified, creates a self-signed root certificate for the test environment.
specifies the name of the CA’s certificate request file when -r is specified, or specifies the name of the CA’s root certificate.
specifies the name of certificate request file.
specifies the name of the CA’s private key.
specifies the serial number in the signed certificate. If -N is not specified, certauth generates a pseudo-random serial number.
The maximum length of the serial number in the -N option is 20 hexadecimal characters. If the specified serial number is longer, certauth truncates the serial number to the maximum length.
specifies the name to use for the output when creating a signed certificate file. If -r is specified, SignedCert_filename is the self-signed root certificate. If -r option is not used, SignedCert_filename is the certificate signed by the caCert_file.
specifies the CA’s password that is used to decrypt its private key.
specifies the start of the valid time range, measured in days from the current time. The default is the current time.
specifies the length of the valid time range for a signed certificate. The valid time range is in units of days.
prints the version number and copyright message of the certauth tool, then exits.
Converts the CA’s certificate request (ca_req.txt) to a certificate, using the private key (ca_pkey.txt). The private key is protected using password. This example sets the valid time range to 365 days, self-signs the certificate, and outputs it as a root certificate (trusted.txt):
certauth -r -C ca_req.txt -Q ca_req.txt -K ca_pkey.txt -P password -T 365 -O trusted.txt
The utility returns this message:
-- Sybase Test Certificate Authority -- Certificate Validity: startDate = Tue Sep 5 10:34:43 2000 endDate = Wed Sep 5 10:34:43 2001 CA sign certificate SUCCEED (0)
You need to create a trusted root certificate for the test CA only once, after which you can use it to sign many server certificates in your test environment.
Converts a server certificate request (srv5_req.txt) to a certificate, and sets the valid time range to 180 days. It signs the certificate with a CA’s certificate and private key (trusted.txt and ca_pkey.txt), uses password protection, and outputs the signed certificate as sybase_srv5.crt
certauth -C trusted.txt -Q srv5_req.txt -K ca_pkey.txt -P password -T 180 -O sybase_srv5.crt
The utility returns this message:
-- Sybase Test Certificate Authority -- Certificate Validity: startDate = Tue Sep 5 10:38:32 2000 endDate = Sun Mar 4 09:38:32 2001 CA sign certificate SUCCEED (0)
If you do not set valid time, the default is 365 days.
This is a sample certificate. See the certauth Usage section for additional steps to take to create a server certificate that the server can use.
-----BEGIN CERTIFICATE----- MIICSTCCAgUCAVAwCwYHKoZIzjgEAwUAMG8xCzAJBgNVBAYTAlVTMRMwEQYDVQQI EwpDYWxpZm9ybmlhMRMwEQYDVQQHEwpFbWVyeXZpbGxlMQ8wDQYDVQQKFAZTeWh c2UxDDAKBgNVBAsUA0RTVDEXMBUGA1UEAxQOc3liYXNlX3Rlc3RfY2EwHhcNMDAw ODE4MTkxMzM0WhcNMDEwODE4MTkxMzM0WjBvMQswCQYDVQQGEwJVUzETMBEGAUE CBMKQ2FsaWZvcm5pYTETMBEGA1UEBxMKRW1lcnl2aWxsZTEPMA0GA1UEChQGU3li YXNlMQwwCgYDVQQLFANEU1QxFzAVBgNVBAMUDnN5YmFzZV90ZXN0X2NhMIHwMIo BgcqhkjOOAQBMIGcAkEA+6xG7XCxiklxbP96nHBnQrTLTCjHlcy8QhIekwv9OlqG EMG9AjJLxj6VCkPOD75vqVMEkaPPjoIbXEJEe/aYXQIVAPyvY1+B9phC2e2YFcf7 cReCcSNxAkBHt7rnOJZ1Dnd8iLQGt0wd1w4lo/Xx2OeZS4CJW0KVKkGId1hNGz8r GrQTspWcwTh2rNGbXxlNXhAV5g4OCgrYA0MAAkA70uNEl90Kmhdt3RISiceCMgOf 1J8dgtWF15mcHeS8OmF9s/vqPAR5NkaVk7LJK6kk7QvXUBY+8LMOugpJf/TYMAsG ByqGSM44BAMFAAMxADAuAhUAhM2Icn1pSavQtXFzXJUCoOmNLpkCFQDtE8RUGuo8 ZdxnQtPu9uJDmoBiUQ== -----END CERTIFICATE-----
Running certauth requires that you place the entry for $SYBASE/$SYBASE_OCS/lib3p before the entry for $SYBASE/$SYBASE_OCS/libp364 in the dynamic library search path.
Adaptive Server includes the openssl open source utility in $SYBASE/$SYBASE_OCS/bin (%SYBASE%\%SYBASE_OCS%\bin in Windows). Use openssl to accomplish all certificate management tasks implemented by certreq, certauth and certpk12. Sybase includes this binary as a convenience, and is not responsible for any issues incurred using the binary. See the OpenSSL Web site for details.
To create a server certificate file that Adaptive Server understands, append the certificate requestor’s private key to the end of the signed certificate file. Using example 2 above, you would cut and paste srv5_pkey.txt to the end of the signed certificate file, sybase_srv5.crt.
To create a trusted roots file that the server can load upon start-up:
Rename trusted.txt to sybase_srv5.txt, where sybase_srv5.txt is the common name of the server.
Copy the sybase_srv5.txt file into the Adaptive Server installation directory; for example, $SYBASE/$SYBASE_ASE/certificates.
The options -s and -T together specify the time range for the certificate.
Use the file, which is required for an SSL-based session, to start the SSL-enabled Adaptive Server.
After the CA’s root certificate is created, use it to sign multiple server certificates.