Review this article to learn how to use existing or generate new TLS/SSL certificates for the ReqView Floating License Server.
It might be necessary to use OpenSSL tools as described in the sections below if you do not have an existing TLS/SSL server certificate (in PEM format) signed by a trusted CA. There are many binary distributions of openssl tools available for Windows. We recommend using Win64 OpenSSL v1.0.2o Light in a command prompt run as an Administrator.
Additional Command Line Arguments:
reqview_license_server [-h] [--host HOST [HOST ...]] --port PORT --certfile CERTFILE [--keyfile KEYFILE] [--keypwfile KEYPWFILE] [--cafile CAFILE] [--capath CAPATH] [--adminpwfile ADMINPWFILE] [--license LICENSE [LICENSE ...]]
|required||File in PEM format containing the server TLS/SSL certificate|
|optional||File containing the private key for the TLS/SSL certificate; by default taken from the certificate|
|optional||File containing the password for decrypting the private key of the TLS/SSL certificate|
|optional||File of concatenated CA certificates in PEM format; by default read from the file specified by |
|optional||Path to a directory containing CA certificates in PEM format|
The required command-line argument
--certfile must be the path to a single file in PEM format containing the server certificate. The
--keyfile argument, if present, must point to a file containing the private key. Otherwise the private key will be taken from
--certfile file as well. If the private key for the certificate is encrypted, the
--keypwfile argument must be the path to a single file containing the password.
The server certificate must have the subjectAltName.DNS and subject.commonName fields set to a URL that exactly matches the hostname present in your ReqView server license file without the port number. Multiple DNS names and wildcards are not permitted.
The CA certificate that was used to sign the server certificate is passed using either
--capath arguments. The
--cafile string should be the path to a file of one or more concatenated CA certificates in PEM format. The
--capath string should be the path to a directory containing several CA certificates in PEM format in OpenSSL library layout. If none of the CA arguments are used, the OS provided CA certificates are searched.
It is essential that the CA used is trusted by all the ReqView clients’ computers, otherwise they will not be able to connect to the license server.
You can either use the default certificates provided with ReqView, use your own existing certificates, request a TLS/SSL certificate from a public trusted CA (such as Let’s Encrypt or RapidSSL), or generate your own (for more details, see TLS/SSL Certificates).
If you have an existing TLS/SSL server certificate (with its private key) for the desired server address, then you can use it to run the ReqView License Server.
In Windows, certificates are usually stored in the Windows certificate store (
certlm.msc). The server certificate has to be exported (including its private key) in Personal Information Exchange — PKCS #12 (.PFX) format. The .PFX file then has to be converted to PEM format using openssl tools. See the following:
openssl pkcs12 -in certwithkey.pfx -nocerts -out server.keyopenssl pkcs12 -in certwithkey.pfx -clcerts -nokeys -out server.crt
If the private key is password protected, write the password to a file and pass it to the ReqView Floating License Server using the
If you don’t have an existing TLS/SSL server certificate but you have an existing trusted company CA certificate, use the CA certificate to generate the server certificate (see below).
The ReqView License Server can automatically obtain the trusted CA certificate that was used to sign the server certificate from the OS. However, you will need it as a file in PEM format to generate a server certificate.
In Windows, you can export your CA certificate from the Windows certificate store, as described in the previous section.
Generate a new root CA certificate valid for 3 years using the following
openssl genrsa -out rootCA.key 2048openssl req -x509 -new -nodes -key rootCA.key -days 1095 -out rootCA.crt -subj "/C=US/ST=Florida/L=Miami/O=Acme Widgets Inc./OU=IT/CN=AcmeReqViewCA"
-subj argument value with details of your company (see here for an explanation of the
Generate a new server TLS/SSL certificate to enable secure communication between the ReqView Floating License Server and its clients.
Follow these steps:
DNS.1values, and save this as a file. For example, csr_details.txt:
[req]default_bits = 2048prompt = nodefault_md = sha256req_extensions = req_extdistinguished_name = dn[ dn ]C=USST=FloridaL=MiamiO=Acme Widgets Inc.OU=ITemailAddressfirstname.lastname@example.orgCN = reqviewlicense.intranet.mycompany.com[ req_ext ]subjectAltName = @alt_names[ alt_names ]DNS.1 = reqviewlicense.intranet.mycompany.com
The `CN` and `DNS.1` values must match the `licenseServer` attribute of the ReqView floating client licenses. Multiple DNS names and wildcards are not permitted. **Note:** The port number is ignored and does not belong in the CSR file.
openssl genrsa -out server.key 2048openssl req -new -sha256 -key server.key -out server.csr -config csr_details.txt
openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 1095 -extensions req_ext -extfile csr_details.txt
If you create the first CSR, then use the `-CAcreateserial` argument resulting in creation of *rootCA.srl* file containing a serial number. If you already have a serial number file, use it with `-CAserial rootCA.srl` instead of `-CAcreateserial`.
The output of this procedure is a server.key file with the private key of the server certificate and a server.crt file with the public part of the server certificate.