TLS/SSL Certificates

Documentation / Administrate

Table of Contents

Review this article to learn how to use existing or generate new TLS/SSL certificates for the ReqView Floating License Server.

It might be necessary to use OpenSSL tools as described in the sections below if you do not have an existing TLS/SSL server certificate (in PEM format) signed by a trusted CA. There are many binary distributions of openssl tools available for Windows. We recommend using the latest Win64 OpenSSL Light in a command prompt run as an Administrator.

Check OpenSSL PKI Tutorial or OpenSSL Essentials for more information about working with certificates.

Command Line Interface

Additional Command Line Arguments:

reqview_license_server [-h] [--host HOST [HOST ...]] --port PORT
                       --certfile CERTFILE [--keyfile KEYFILE]
                       [--keypwfile KEYPWFILE]
                       [--cafile CAFILE] [--capath CAPATH]
                       [--adminpwfile ADMINPWFILE]
                       [--license LICENSE [LICENSE ...]]
OptionNecessityDescription
--certfilerequiredFile in PEM format containing the server TLS/SSL certificate
--keyfileoptionalFile containing the private key for the TLS/SSL certificate; by default taken from the certificate
--keypwfileoptionalFile containing the password for decrypting the private key of the TLS/SSL certificate
--cafileoptionalFile of concatenated CA certificates in PEM format; by default read from the file specified by --certfile parameter or from the OS
--capathoptionalPath to a directory containing CA certificates in PEM format

The required command-line argument --certfile must be the path to a single file in PEM format containing the server certificate. The --keyfile argument, if present, must point to a file containing the private key. Otherwise the private key will be taken from --certfile file as well. If the private key for the certificate is encrypted, the --keypwfile argument must be the path to a single file containing the password.

The server certificate must have the subjectAltName.DNS and subject.commonName fields set to a URL that exactly matches the hostname (fully qualified domain name — FQDN) present in your ReqView server license file without the port number. For security reasons, wildcards are not permitted.

The CA certificate that was used to sign the server certificate is passed using either --cafile or --capath arguments. The --cafile string should be the path to a file of one or more concatenated CA certificates in PEM format. The --capath string should be the path to a directory containing several CA certificates in PEM format in OpenSSL library layout. If none of the CA arguments are used, the OS provided CA certificates are searched.

It is essential that the CA used is trusted by all the ReqView clients’ computers, otherwise they will not be able to connect to the license server.

You can either use the default certificates provided with ReqView, use your own existing certificates, request a TLS/SSL certificate from a public trusted CA (such as Let’s Encrypt or RapidSSL), or generate your own (for more details, see TLS/SSL Certificates).

Using Existing Certificates

If you have an existing TLS/SSL server certificate (with its private key) for the exact desired server address (as wildcards are not permitted), you can use it to run the ReqView License Server. To create the server.pem file that can be passed to the server via the --certfile argument, it might be necessary to concatenate the domain certificate and your private key files (both files must be PEM-encoded and usually have .crt and .key extensions respectively, or .pem):

$ cat server.crt server.key > server.pem

If you have intermediate certificates in separate files, include them in the concatenation before the private key:

$ cat server.crt intermediate.crt server.key > server.pem

Let’s Encrypt Certificates

For Let’s Encrypt certificates created using Certbot, concatenate the fullchain.pem and privkey.pem files (see Where are my certificates? if you don’t know where to find them):

$ cat fullchain.pem privkey.pem > server.pem

Windows Certificate Store

In Windows, certificates are usually stored in the Windows certificate store (certlm.msc or certmgr.msc). The server certificate has to be exported (including its private key) in Personal Information Exchange — PKCS #12 (.pfx) format. The .pfx file then has to be converted to PEM format using the openssl tools:

> openssl pkcs12 -in certwithkey.pfx -clcerts -nokeys -out server.crt
> openssl pkcs12 -in certwithkey.pfx -nocerts -out server.key

Concatenate the output files using the type command in cmd to create the server.pem file that can be passed to the server using the --certfile argument:

> type server.crt server.key > server.pem

If the private key is password protected, write the password to a file and pass it to the ReqView Floating License Server using the --keypwfile argument.

If you don’t have an existing TLS/SSL server certificate but you have an existing trusted company CA certificate, use the CA certificate to generate the server certificate (see below).

Use Existing CA Certificate

The ReqView License Server can automatically obtain the trusted CA certificate that was used to sign the server certificate from the OS. However, you will need it as a file in PEM format to generate a server certificate.

In Windows, you can export your CA certificate from the Windows certificate store, as described in the previous section.

Generate CA Certificate

Generate a new root CA certificate valid for 3 years using the following openssl commands:

$ openssl genrsa -out rootCA.key 2048
$ openssl req -x509 -new -nodes -key rootCA.key -days 1095 -out rootCA.crt -subj "/C=US/ST=Florida/L=Miami/O=Acme Widgets Inc./OU=IT/CN=AcmeReqViewCA"

Replace the -subj argument value with details of your company (see here for an explanation of the -subj argument).

Generate Server Certificate

Generate a new server TLS/SSL certificate to enable secure communication between the ReqView Floating License Server and its clients.

Follow these steps:

  1. Create a certificate signing request (CSR) with your company details and the address of your license server as the CN and DNS.1 values, and save this as a file. For example, csr_details.txt:

    [req]
    default_bits = 2048
    prompt = no
    default_md = sha256
    req_extensions = req_ext
    distinguished_name = dn
    

    [ dn ]
    C=US
    ST=Florida
    L=Miami
    O=Acme Widgets Inc.
    OU=IT
    emailAddress=it@mycompany.com
    CN = reqviewlicense.intranet.mycompany.com
    

    [ req_ext ]
    subjectAltName = @alt_names
    

    [ alt_names ]
    DNS.1 = reqviewlicense.intranet.mycompany.com

    The CN and DNS.1 values must match the licenseServer attribute of the ReqView floating client licenses. Multiple DNS names and wildcards are not permitted.

    Note: The port number is ignored and does not belong in the CSR file.

  2. Generate a private key for the server certificate and a CSR:

    $ openssl genrsa -out server.key 2048
    $ openssl req -new -sha256 -key server.key -out server.csr -config csr_details.txt

  3. Sign the server certificate using a CA certificate and the CSR:

    $ openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 1095 -extensions req_ext -extfile csr_details.txt

    If you create the first CSR, then use the -CAcreateserial argument resulting in creation of rootCA.srl file containing a serial number. If you already have a serial number file, use it with -CAserial rootCA.srl instead of -CAcreateserial.

    The output of this procedure is the server.key file with the private key of the server certificate and the server.crt file with the public part of the server certificate.

  4. Combine the certificate and the private key files into PEM format usable with the --certfile argument of the license server:

    $ cat server.crt server.key > server.pem
Updated for version 1.2.0