PMDF System Manager's Guide
Previous Contents Index

15.2.1 Certificate Setup

Note
See the Glossary for definitions of unfamiliar terms.

PMDF-TLS requires a TLS certificate in order to accept TLS connections. This certificate is presented to the client during the negotiation of a TLS connection and is used to determine the secret private key that will be used to encrypt the connection between the server and the client.

Certificates can be requested from a Certificate Authority such as such as Thawte Consulting, Verisign, Inc., or a free certificate from Let's Encrypt.

It is possible to use self-signed certificates, but most clients and servers will no longer allow self-signed certificates, so they are not going to be covered here. If you want to create a self-signed certificate, the openssl utility on an OpenVMS or Linux system can be used to generate them.

15.2.1.1 Getting a Certificate Authority to Sign Your Certificate

Once you have your certificate request completed, you then need to have it signed by the Certificate Authority of your choice. Some sites can choose to have their requests signed by an in-house Authority, but many will choose to go to an independent Certificate Authority, such as Thawte Consulting (http://www.thawte.com/) or Verisign, Inc., (http://www.verisign.com/).

Both of these Authorities will provide complete information on what is needed to complete your certificate request. For PMDF usage, tell the signing Authority that you want a "web server" or "server" sort of certificate.

When you have finished the process of getting a signed certificate from a Certificate Authority, you'll have a new file that starts with 


-----BEGIN CERTIFICATE-----
You should place this signed certificate file on your system as server-pub.pem in the PMDF table directory.

15.2.1.2 Chained Certificates

PMDF supports chained TLS certificates. In order to use these, concatenate all of the certificates into the server-pub.pem file in the PMDF table directory. The local server certificate should be first, followed by one or more intermediary certificates, and finally the root certificate. Make sure all of the separators (i.e. "-----BEGIN CERTIFICATE----") remain intact.

Previous Next Contents Index