TLS/SSL Certificates

This section describes how to use existing or generate new TLS/SSL certificates for the ReqView Floating License Server.

It might be necessary to use OpenSSL tools as described in the sections below if you don’t have an existing TLS/SSL server certificate (in PEM format) signed by a trusted CA. There are many binary distributions of openssl tools available for Windows. We recommend using Win64 OpenSSL v1.0.2o Light in a command prompt run as Administrator.

Check OpenSSL PKI Tutorial or OpenSSL Essentials for more information about working with certificates.

Command Line Interface

Additional Command Line Arguments:

reqview_license_server [-h] [--host HOST [HOST ...]] --port PORT
                       --certfile CERTFILE [--keyfile KEYFILE]
                       [--keypwfile KEYPWFILE]
                       [--cafile CAFILE] [--capath CAPATH]
                       [--adminpwfile ADMINPWFILE]
                       [--license LICENSE [LICENSE ...]]
Option Necessity Description
--certfile required File in PEM format containing the server TLS/SSL certificate and optionally also CA certificates
--keyfile optional File containing the private key for the TLS/SSL certificate; by default taken from the certificate
--keypwfile optional File containing the password for decrypting the private key of the TLS/SSL certificate
--cafile optional File of concatenated CA certificates in PEM format; by default read from certfile of from the OS
--capath optional Path to a directory containing CA certificates in PEM format

The required command-line argument --certfile must be the path to a single file in PEM format containing the certificate (and optionally any number of CA certificates needed to establish the certificate’s authenticity). The --keyfile argument, if present, must point to a file containing the private key. Otherwise the private key will be taken from --certfile file as well. If the private key for the certificate is encrypted, the --keypwfile argument must be the path to a single file containing the password.

The CA certificate that was used to sign the server certificate is passed using either --cafile or --capath arguments. The --cafile string should be the path to a file of one or more concatenated CA certificates in PEM format. The --capath string should be the path to a directory containing several CA certificates in PEM format in OpenSSL library layout. If none of the CA arguments are used the OS provided CA certificates are searched.

It is essential that the CA used is trusted by all the ReqView clients’ computers, otherwise they won’t be able to connect to the license server.

You can either use the default certificates provided with ReqView, use your own existing certificates, request a TLS/SSL certificate from a public trusted CA (such as Let’s Encrypt or RapidSSL) or generate your own (please refer to TLS/SSL Certificates for details).

Using Existing Certificates

If you have an existing TLS/SSL server certificate (with its private key) for the desired server address then you can use it for running the ReqView License Server.

In Windows, certificates are usually stored in the Windows certificate store (certlm.msc). The server certificate has to be exported (including its private key) as Personal Information Exchange - PKCS #12 (.PFX) format. The .PFX file then has to be converted to PEM format using openssl tools as follows:

$ openssl pkcs12 -in certwithkey.pfx -nocerts -out server.key
$ openssl pkcs12 -in certwithkey.pfx -clcerts -nokeys -out server.crt

If the private key is password protected, then you can write the password to a file and pass it to the ReqView Floating License Server using the --keypwfile argument.

If you don’t have an existing TLS/SSL server certificate but you have an existing trusted company CA certificate then you can use the CA certificate to generate the server certificate (see below).

Using Existing CA Certificate

ReqView License Server can automatically obtain the trusted CA certificate that was used to sign the server certificate from the OS. However, you will need it as a file in PEM format to generate a server certificate.

In Windows, you can export your CA certificate from the Windows certificate store as described in the previous section.

Generating CA Certificate

You can generate a new root CA certificate valid for 3 years using the following openssl commands:

$ openssl genrsa -out rootCA.key 2048
$ openssl req -x509 -new -nodes -key rootCA.key -days 1095 -out rootCA.crt -subj "/C=US/ST=Florida/L=Miami/O=Acme Widgets Inc./OU=IT/CN=AcmeReqViewCA"

Bash

Replace the -subj argument value with details of your company (see here for an explanation of the -subj argument).

Generating Server Certificate

You can generate a new server TLS/SSL certificate enabling secure communication of the ReqView Floating License Server with its clients in the three steps below:

  1. Create a certificate signing request (CSR) with your company details and the address of your license server as the CN and DNS.1 values and save this as a file, e.g. csr_details.txt:

    [req]
    default_bits = 2048
    prompt = no
    default_md = sha256
    req_extensions = req_ext
    distinguished_name = dn
     
    [ dn ]
    C=US
    ST=Florida
    L=Miami
    O=Acme Widgets Inc.
    OU=IT
    emailAddress=it@mycompany.com
    CN = reqviewlicense.intranet.mycompany.com
     
    [ req_ext ]
    subjectAltName = @alt_names
     
    [ alt_names ]
    DNS.1 = reqviewlicense.intranet.mycompany.com

    INI

    The CN and DNS.1 values must match the licenseServer attribute of ReqView floating client licenses (the port number is ignored and does not belong in the CSR file).

  2. Generate a private key of the server certificate and a CSR:

    $ openssl genrsa -out server.key 2048
    $ openssl req -new -sha256 -key server.key -out server.csr -config csr_details.txt
    

  3. Sign the server certificate using a CA certificate and the CSR.

    $ openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 1095 -extensions req_ext -extfile csr_details.txt
    

    If you create the first CSR then use the -CAcreateserial argument resulting in creation of rootCA.srl file containing a serial number. If you already have a serial number file use it by -CAserial rootCA.srl instead of -CAcreateserial.

The output of this procedure is server.key file with the private key of the server certificate and server.crt file with the public part of the server certificate.

Updated for version 1.1.0