Nonstop Volume Level Encryption Guide

ManualsBrandsHP ManualsServerHP Integrity NonStop H-Series

Create signed NSSuser client certificate with a PC

If you have a PC that has OpenSSL installed, with access to a NonStop TACL session and the Key

Manager’s Web Browser interface, you can use it to create the NSSuser private key, NSSuser

signed certificate, and NSSuser passphrase files for NonStop. These examples that follow were

created using this version of OpenSSL:

c:\>openssl version

OpenSSL 0.9.8j 07 Jan 2009

c:\>

a. Create an empty temporary directory on the PC:

C:\> mkdir zencrypt

and change the directory to that empty temporary directory:

C:\>cd zencrypt

b. Use OpenSSL to create a NSSuser private key and a NSSuser client certificate request. You

will be prompted to enter a passphrase. Choose a strong passphrase to protect the private

key. You can fill in the other information any way you see fit. However, the Common Name

must be NSSuser.

C:\zencrypt>openssl req -newkey rsa:2048 -keyout client.key -out client.csr

The system responds, prompting you to enter various fields. User responses are shown in bold:

Loading 'screen' into random state - done

Generating a 2048 bit RSA private key

.......................................+++

...............+++

writing new private key to 'client.key'

Enter PEM pass phrase:passphrase

Verifying - Enter PEM pass phrase:passphrase

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:CA

Locality Name (eg, city) []:Cupertino

Organization Name (eg, company) [Internet Widgits Pty Ltd]:HP

Organizational Unit Name (eg, section) []:NonStop

Common Name (eg, YOUR name) []:NSSuser

Email Address []:MyEmail.Id@hp.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:.

An optional company name []:.

C:\zencrypt>

c. Use OpenSSL to convert the NSSuser private key into a PEM formatted private key. You will

be prompted to enter the passphrase that you used to create the private key:

C:\zencrypt>openssl rsa -in client.key -text -out client.key.pem

Enter pass phrase for client.key:passphrase

writing RSA key

d. Use OpenSSL to convert the PEM formatted NSSuser private key into a DER formatted private

key. You will be prompted to enter the passphrase that you used to create the private key:

C:\zencrypt>openssl pkcs8 -topk8 -in client.key.pem -outform DER -out client.key.der

Enter Encryption Password:passphrase

Verifying - Enter Encryption Password:passphrase

Loading 'screen' into random state - done

c:\zencrypt>

Installation steps 29