This section describes how to use existing or generate new TLS/SSL certificates for the ReqView Floating License Server.
It might be necessary to use OpenSSL tools as described in the sections below if you don’t have an existing TLS/SSL server certificate (in PEM format) signed by a trusted CA. There are many binary distributions of
openssl tools available for Windows. We recommend using Win64 OpenSSL v1.0.2o Light in a command prompt run as Administrator.
Additional Command Line Arguments:
reqview_license_server [-h] [--host HOST [HOST ...]] --port PORT --certfile CERTFILE [--keyfile KEYFILE] [--keypwfile KEYPWFILE] [--cafile CAFILE] [--capath CAPATH] [--adminpwfile ADMINPWFILE] [--license LICENSE [LICENSE ...]]
||required||File in PEM format containing the server TLS/SSL certificate and optionally also CA certificates|
||optional||File containing the private key for the TLS/SSL certificate; by default taken from the certificate|
||optional||File containing the password for decrypting the private key of the TLS/SSL certificate|
||optional||File of concatenated CA certificates in PEM format; by default read from
||optional||Path to a directory containing CA certificates in PEM format|
The required command-line argument
--certfile must be the path to a single file in PEM format containing the certificate (and optionally any number of CA certificates needed to establish the certificate’s authenticity). The
--keyfile argument, if present, must point to a file containing the private key. Otherwise the private key will be taken from
--certfile file as well. If the private key for the certificate is encrypted, the
--keypwfile argument must be the path to a single file containing the password.
The CA certificate that was used to sign the server certificate is passed using either
--capath arguments. The
--cafile string should be the path to a file of one or more concatenated CA certificates in PEM format. The
--capath string should be the path to a directory containing several CA certificates in PEM format in OpenSSL library layout. If none of the CA arguments are used the OS provided CA certificates are searched.
It is essential that the CA used is trusted by all the ReqView clients’ computers, otherwise they won’t be able to connect to the license server.
You can either use the default certificates provided with ReqView, use your own existing certificates, request a TLS/SSL certificate from a public trusted CA (such as Let’s Encrypt or RapidSSL) or generate your own (please refer to TLS/SSL Certificates for details).
If you have an existing TLS/SSL server certificate (with its private key) for the desired server address then you can use it for running the ReqView License Server.
In Windows, certificates are usually stored in the Windows certificate store (
certlm.msc). The server certificate has to be exported (including its private key) as Personal Information Exchange - PKCS #12 (.PFX) format. The .PFX file then has to be converted to PEM format using
openssl tools as follows:
$ openssl pkcs12 -in certwithkey.pfx -nocerts -out server.key $ openssl pkcs12 -in certwithkey.pfx -clcerts -nokeys -out server.crt
If the private key is password protected, then you can write the password to a file and pass it to the ReqView Floating License Server using the
If you don’t have an existing TLS/SSL server certificate but you have an existing trusted company CA certificate then you can use the CA certificate to generate the server certificate (see below).
ReqView License Server can automatically obtain the trusted CA certificate that was used to sign the server certificate from the OS. However, you will need it as a file in PEM format to generate a server certificate.
In Windows, you can export your CA certificate from the Windows certificate store as described in the previous section.
You can generate a new root CA certificate valid for 3 years using the following
-subj argument value with details of your company (see here for an explanation of the
You can generate a new server TLS/SSL certificate enabling secure communication of the ReqView Floating License Server with its clients in the three steps below:
Create a certificate signing request (CSR) with your company details and the address of your license server as the
DNS.1 values and save this as a file, e.g.
DNS.1 values must match the
licenseServer attribute of ReqView floating client licenses (the port number is ignored and does not belong in the CSR file).
Generate a private key of the server certificate and a CSR:
$ openssl genrsa -out server.key 2048 $ openssl req -new -sha256 -key server.key -out server.csr -config csr_details.txt
Sign the server certificate using a CA certificate and the CSR.
$ openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 1095 -extensions req_ext -extfile csr_details.txt
If you create the first CSR then use the
-CAcreateserial argument resulting in creation of
rootCA.srl file containing a serial number. If you already have a serial number file use it by
-CAserial rootCA.srl instead of
The output of this procedure is
server.key file with the private key of the server certificate and
server.crt file with the public part of the server certificate.