Creating Certificates

You can use tools such as OpenSSL to create certificates and generate RSA private and public keys for signature signing and verification.

When creating keys, consider the type of encryption you want to use. The key will be used at runtime to encrypt the whole conversation, and there is a tradeoff between performance and the strength of the encryption. For example, 2048-bit encryption is more secure, but a lower level of encryption can increase performance.

When creating certificates, you can choose how strict the certificate must be. For example, you can make peer name verification less likely to return an error by providing more possible matches for the machine or domain name:

  • Specify subject alternate names that can be checked in addition to (or instead of) the common name
  • Use wildcards in the common name and alternative names.

    For example, *.mycompany.com would be valid for all hosts in the domain, such as sales.mycompany.com and hr.mycompany.com

OpenSSL and Other Tools

In the instructions that follow, we use OpenSSL to generate keys and certificates, but it is possible to use other tools as well. For example, you can also use websites such as a http://www.selfsignedcertificate.com to generate self-signed certificates. The basic steps remain the same, although the actual commands may differ.

Note: On Windows, Uniface provides the OpenSSL executable in the \common\bin folder of the Uniface installation. On Linux, it is usually pre-installed. Alternatively, you can obtain it from one of the sites suggested by the OpenSSL Wiki (https://wiki.openssl.org/index.php/Binaries). For more information, consult the OpenSSL documentation (http://www.openssl.org/).