HP SSL for OpenVMS Version 1.1 Installation Guide and Release ...

HP SSL for OpenVMSVersion 1.1 Installation Guide and Release NotesJune 2003This guide contains hardware and software prerequisites, installationinstructions, postinstallation tasks, instructions for building yourapplication, the SSL directory structure, and release notes forHP SSL Version 1.1 for OpenVMS.For more information about HP SSL, see the HP Open SourceSecurity for OpenVMS Volume 2: HP SSL for OpenVMS. Thatmanual is available on the OpenVMS documentationCD-ROM and the OpenVMS website at http://h71000.www7.hp.com/For the latest release notes and SSL kits, see the HP SSL website athttp://h71000.www7.hp.com/openvms/products/ssl/Installation Requirements and PrerequisitesThe following sections list hardware and disk space requirements, and softwareprerequisites.Hardware PrerequisitesHP SSL is available on both the Alpha and VAX platforms.Disk Space RequirementsThe HP SSL for OpenVMS kit requires approximately 45,000 blocks ofworking disk space to install. Once installed, the software occupies approximately40,000 blocks of disk space.Software PrerequisitesHP SSL for OpenVMS requires the following software:xxOpenVMS Alpha Version 7.2-2 or higher or OpenVMS VAX Version 7.3 or higherHP TCP/IP Services for OpenVMS Version 5.3 or higherHP SSL for OpenVMS has been tested and verified using HPTCP/IP Services for OpenVMS. There are no known problems running HPSSL for OpenVMS with other TCP/IP network products. This includesthe following TCP/IP network products from Process Software Corporation, butHP has not formally tested and verified these other products:x TCPware Version 5.5x MultiNet Version 4.3Account Quotas and System ParametersThere are no specific requirements for account quotas and system parameters forinstalling or using HP SSL for OpenVMS.

New Features in HP SSL V1.1 for OpenVMSSSL V1.1 for OpenVMS, based on OpenSSL 0.9.6g, is included in OpenVMS Version 7.3-2 field test. Theprevious version of OpenVMS included Compaq SSL V1.0, which was based on OpenSSL 0.9.6b.New features in SSL V1.1 include:• A port of the OpenSSL 0.9.6g baselevel, which includes fixes to security vulnerabilities reported onFebruary 19, 2003, and March 17 and 19, 2003 at http://www.openssl.org/news/• Certificate Revocation List (CRL) support in the Certificate Tool• A DES encryption image that allows you to enable uuencoding and uudecoding• Three new CRYPTO APIs have been added -- BN_pseudo_rand_range, ERR_load_COMP_strings, andX509_STORE_CTX_set_verify_cb• Two new SSL APIs have been added -- SSL_get_rfd and SSL_get_wfd• One OpenSSL API has been removed -- OpenSSLDieOpenSSL Documentation from The Open GroupDocumentation about the OpenSSL project and The Open Group is available atthe following URL:http://www.openssl.orgThe OpenSSL documentation was written for UNIX users. When readingUNIX-style OpenSSL documentation, note the following differences betweenUNIX and OpenVMS:xFile specification formatThe OpenSSL documentation shows example file specifications in UNIX format.For example, the UNIX file specification /dka100/foo/bar/file.dat isequivalent to DKA100:[FOO.BAR]FILE.DAT on OpenVMS.xDirectory formatDirectories (pathnames) that begin with a period (.) on UNIX beginwith an underscore (_) on OpenVMS. In addition, on UNIX, the tilde (~)is an abbreviation for SYS$LOGIN. For example, the UNIX pathname~/.openssl/profile/prefs.js is equivalent to the OpenVMS directory[._OPENSSL.PROFILE]PREFS.JS.Installing HP SSL for OpenVMSHP SSL for OpenVMS is shipped with OpenVMS Alpha Version 7.3-1on the Layered Products CD-ROM. You must install HP SSL before you canuse it. Use the following procedure to install HP SSL for OpenVMS.To install the SSL for OpenVMS kit, enter the following command:$ PRODUCT INSTALL SSL/SOURCE=ddcu:[dir]

By default, SSL for OpenVMS is installed into SYS$SYSDEVICE:[VMS$COMMON]. You can specify a different installation location by usingthe PRODUCT INSTALL command line qualifier /DESTINATION.For a description of the features you can request with the PRODUCT INSTALLcommand when starting an installation, such as running the IVP, purging files,and configuring the installation, refer to the POLYCENTER Software InstallationUtility User Guide.As the installation procedure progresses, the system displays information similarto the following:ÅÁIQH7T6SÁBGRS4EEÁRRERHTQ6807D4 '`DBSRbÁÁÁÁ6IPÁ4WIUFRÁRREÁUÁEf pƒpiÁIƒ€i†h…ÁÁÁ6IPÁ4WIUFRÁRREÁU5ÁEf pƒpiÁIƒ€i†h…ÁÁÁ4wwÁ ƒ€i†h…„Áwt„…piÁfg€‡pÁ!ÁÁ8‰t…ÁÁ6s€€„pÁ€ypÁ€ƒÁx€ƒpÁt…px„Áqƒ€xÁ…spÁxpy†Á„p fƒf…piÁg Áh€xxf„'ÁÁÁSspÁq€ww€ˆtyrÁ ƒ€i†h…Ásf„ÁgppyÁ„pwph…pi'ÁÁ6IPÁ4WIUFRÁRREÁUÁEf pƒpiÁIƒ€i†h…ÁÁ7€Á €†Áˆfy…Á…€Áh€y…ty†p2Á`X8RbÁÁ6€yqtr†ƒf…t€yÁ sf„pÁ„…fƒ…tyrÁÁÁX€†ÁˆtwwÁgpÁf„vpiÁ…€Áhs€€„pÁ€ …t€y„ÁtqÁfy Áq€ƒÁpfhsÁ„pwph…piÁ ƒ€i†h…ÁfyiÁq€ƒÁfy Á ƒ€i†h…„Á…sf…Áxf ÁgpÁty„…fwwpiÁ…€Á„f…t„q Á„€q…ˆfƒpÁip pyipyh Áƒp‚†tƒpxpy…„ÁÁ6IPÁ4WIUFRÁRREÁU'ÁRREÁq€ƒÁH pyUFRÁUÁÉ5f„piÁ€yÁH pyRREÁ&#@ÁÁÉhÁ6€ ƒtrs…Á ÁApˆwp……IfhvfƒiÁ7p‡pw€ xpy…Á6€x fy ÁEIÁÁ7€Á €†Áˆfy…Á…spÁipqf†w…„Áq€ƒÁfwwÁ€ …t€y„2Á`X8RbÁÁ7€Á €†Áˆfy…Á…€Áƒp‡tpˆÁ…spÁ€ …t€y„2Á`GHbÁÁ8‰ph†…t€yÁ sf„pÁ„…fƒ…tyrÁÁÁSspÁq€ww€ˆtyrÁ ƒ€i†h…ÁˆtwwÁgpÁty„…fwwpiÁ…€Áip„…tyf…t€y'ÁÁ6IPÁ4WIUFRÁRREÁUÁ7BRDÅ7VEEG@d4dU$ '`UFRÅ6HFFHGbÁÁSspÁq€ww€ˆtyrÁ ƒ€i†h…ÁˆtwwÁgpÁƒpx€‡piÁqƒ€xÁip„…tyf…t€y'ÁÁ6IPÁ4WIUFRÁRREÁU5Á7BRDÅ7VEEG@d4dU$ '`UFRÅ6HFFHGbÁÁI€ƒ…t€yÁi€yp'ÁÆÆÆ Æ!Æ"Æ#Æ$Æ%Æ&ÆÆÁÁSspÁq€ww€ˆtyrÁ ƒ€i†h…Ásf„ÁgppyÁty„…fwwpi'ÁÁ6IPÁ4WIUFRÁRREÁUÁEf pƒpiÁIƒ€i†h…ÁÁSspÁq€ww€ˆtyrÁ ƒ€i†h…Ásf„ÁgppyÁƒpx€‡pi'ÁÁ6IPÁ4WIUFRÁRREÁU5ÁEf pƒpiÁIƒ€i†h…ÁÁÆI6RBBBUI8W86TS8Áp‰ph†…tyrÁ…p„…Á ƒ€hpi†ƒpÁq€ƒÁ6IPÁ4WIUFRÁRREÁUÁÁÆI6RBBBUIRT668RRÁ…p„…Á ƒ€hpi†ƒpÁh€x wp…piÁ„†hhp„„q†ww ÁÁ

$12"917.444-744-GPS0QFO7.47 #BTFEPO0QFO44-#*OTFSUUIFGPMMPXJOHMJOFTJO4:4."/"(&34:45"3561@7.4$0.!TZTTUBSUVQTTMTUBSUVQDPN*OTFSUUIFGPMMPXJOHMJOFTJO4:4."/"(&34:4)65%8/$0.!TZTTUBSUVQTTMTIVUEPXODPN5IFSFBSFQPTUJOTUBMMBUJPOBDUJWJUJFTUIBUOFFEUPCFQFSGPSNFE5IJTJODMVEFTUIJOHTMJLFEFGJOJOHMPHJDBMOBNFTBOESVOOJOH44-65*-4$0.UPEFGJOFTPNFGPSFJHOTZNCPMTBOESVOOJOHUIF*71JGJUXBTOPUEPOFBTQBSUPGUIFJOTUBMMBUJPO3FGFSUPUIF3FMFBTF/PUFTGPSNPSFJOGPSNBUJPOBCPVUBDUJWJUJFTUIBUTIPVMECFQFSGPSNFEPODFUIFJOTUBMMBUJPOIBTGJOJTIFE44-IBTDSFBUFEUIFGPMMPXJOHEJSFDUPSZTUSVDUVSFJO1$4*%&45*/"5*0/XIJDIEFGBVMUTUP4:44:4%&7*$&5PQMFWFM44-EJSFDUPSZ$POUBJOTUIFJNBHFTGPSUIF"MQIBQMBUGPSN%JSFDUPSZUPIPMEUIFWBSJPVTDPNNBOEQSPDFEVSFT

system startup file so that you can use SSL immediately:$ @SYS$STARTUP:SSL$STARTUP3. Define the foreign commands that use the OpenSSL utility OPENSSL.EXE,such as openssl, ca, enc, req, and X509, by entering the followingcommand:$ @SSL$COM:SSL$UTILS4. Optionally, start the Certificate Tool by entering the following command:$ @SSL$COM:SSL$CERT_TOOLThis menu-driven tool allows you to create and view certificates and certificaterequests and to sign certifcate requests. For information about the CertificateTool, see Chapter 3 in HP Open Source Security for OpenVMSVolume 2: HP SSL for OpenVMS.SSL Directory StructureAfter the installation is complete, the SSL directory structure is as follows:[SSL] - Top-level directory created by default inSYS$SYSDEVICE:[VMS$COMMON].[SSL.ALPHA_EXE] - Contains images for the Alpha platform.[SSL.COM] - Contains command procedures.[SSL.DEMOCA] - Contains demos for SSL CA features[SSL.DEMOCA.CERTS] - Contains certificates and keys.[SSL.DEMOCA.CONF] - Contains configuration files.[SSL.DEMOCA.CRL] - Contains revoked certificates and CRLs.[SSL.DEMOCA.PRIVATE] - Contains private keys and random data.[SSL.DOC] - OpenSSL Group provided documentation & information.[SSL.INCLUDE] - Contains C header (.H) files.[SSL.TEST] - Contains files used during the Installation Verification Procedure (IVP).In addition, SSL example programs are located inSYS$COMMON:[SYSHLP.EXAMPLES.SSL]. These example programsare also shown and discussed in Chapter 6 in Open Source Security forOpenVMS Volume 2: HP SSL for OpenVMS.Building an SSL ApplicationHP SSL for OpenVMS provides shareable images that contain 64-bitAPIs and shareable images that contain 32-bit APIs. You can choose which APIs touse when you compile your application.The file names for these shareable images are as follows:SYS$SHARE:SSL$LIBSSL_SHR.EXE - 64-bit SSL APIsSYS$SHARE:SSL$LIBCRYPTO_SHR.EXE - 64-bit Crypto APIsSYS$SHARE:SSL$LIBSSL_SHR32.EXE - 32-bit SSL APIsSYS$SHARE:SSL$LIBCRYPTO_SHR32.EXE - 32-bit Crypto APIsWhen you compile your application using HP C, use the /POINTER_SIZE=64qualifier to take advantage of the 64-bit APIs. The default value for the

POINTER_SIZE qualifier is 32.Linking your application is the same for both 64-bit or 32-bit APIs. The options fileused contains either the 64-bit or 32-bit references to the appropriate shareableimage.Building an Application Using 64-Bit APIsTo build (compile and link) a sample program using the 64-bit APIs, enter thefollowing commands:$ CC/POINTER_SIZE=64/PREFIX=ALL SAMPLE.C$ LINK/MAP SAMPLE,LINKER_OPT/OPTIONSIn these commands, LINKER_OPT.OPT is a simple text file that contains thefollowing lines:SYS$SHARE:SSL$LIBSSL_SHR/SHARESYS$SHARE:SSL$LIBCRYPTO_SHR/SHAREBuilding an Application Using 32-Bit APIsTo build (compile and link) a sample program using the 32-bit APIs, enter thefollowing commands:$ CC/PREFIX=ALL SAMPLE.C$ LINK/MAP SAMPLE,LINKER_OPT/OPTIONSIn these commands, LINKER_OPT.OPT is a simple text file that contains thefollowing lines:SYS$SHARE:SSL$LIBSSL_SHR32/SHARESYS$SHARE:SSL$LIBCRYPTO_SHR32/SHARERelease NotesThis section contains notes about Version 1.1 of HP SSL for OpenVMS.Legal CautionSSL data transport requires encryption. Many governments, including the UnitedStates, have restrictions on the import and export of cryptographic algorithms.Please ensure that your use of SSL is in compliance with all national andinternational laws that apply to you.Shareable Images Containing 64-Bit and 32-Bit APIs ProvidedHP SSL for OpenVMS provides shareable images that contain 64-bitAPIs and shareable images that contain 32-bit APIs. You can choose which APIs touse when you compile your application. For more information, see Section 1.6.Linking with HP SSL Shareable ImagesIf you have written an application that links against the OpenSSL object libraries,you must make a minor change to your code because HP SSL provides onlyshareable images. To link your application against the shareable images, use

code similar to the following:$ LINK my_app.obj, VMS_SSL_OPTIONS/OPTwhere VMS_SSL_OPTIONS.OPT is a text file that contains the following lines:SYS$SHARE:SSL$LIBCRYPTO_SHR.EXE/SHARESYS$SHARE:SSL$LIBSSL_SHR.EXE/SHAREPreserve Certificates, Keys, and Configuration Files When Upgradingfrom Field Test KitIf you are upgrading from the field test kit (T1.0) to the HP SSL Version1.1 kit, you must save the certificates, keys, and configuration files in the SSLsubdirectory. HP recommends that you back up these items to either adifferent disk and directory or to tape. When you have completed the Version 1.1installation, move the saved items back into the SSL directory structure. Thendelete the backed up certificates, keys, and configuration files.Startup and Shutdown Command Procedures RenamedIf you previously installed the Compaq SSL T1.0 field test kit and are nowinstalling the Version 1.1 kit, the SYS$STARTUP:SSL$STARTUP.COMand SYS$STARTUP:SSL$SHUTDOWN.COM command procedures in theVersion 1.1 kit are named SYS$STARTUP:SSL$STARTUP.TEMPLATE andSYS$STARTUP:SSL$SHUTDOWN.TEMPLATE. This prevents PCSI fromoverwriting the .COM files, and allows you to preserve any modifications you madeto SSL$STARTUP.COM and SSL$SHUTDOWN.COM after you installed the T1.0field test kit.After you install the Version 1.1 kit, compare the new .TEMPLATE files with yourexisting SSL$STARTUP.COM and SSL$SHUTDOWN.COM files and add anynew information as required.If you did not previously install the T1.0 field test kit, both the .TEMPLATE and.COM files are provided.Configuration files are provided in the same fashion - both .CNF and.CNF_TEMPLATE files are included in HP SSL.SSL APIs Not Backward CompatibleHP SSL for OpenVMS is based on open-source code provided by TheOpen Group. The OpenVMS code is based on the 0.9.6G baselevel of OpenSSL.Until The Open Group releases its Version 1.0 baselevel, The Open Group is notguaranteeing backward compatibility. This means that any OpenSSL API, datastructure, header file, command, and the like might be changed in a future versionof OpenSSL.As a result, HP cannot guarantee the backward compatibility of HP SSLfor OpenVMS until the release of HP SSL for OpenVMS that isbased on OpenSSL 1.0. The shareable images use EQUAL 1,0 which means thatapplications will have to relink when new shareable images are distributed.Certificate Tool Cannot Have Simultaneous Users

Only one user/process should use the Certificate Tool at a time. The tool does nothave a locking mechanism to prevent unsynchronized accesses of the databaseand serial file.Protect Certificates and KeysWhen you create certificates and keys with the Certificate Tool, take care to ensurethat the keys are properly protected to allow only the owner of the keys to usethem. A private key should be treated like a password. You can use OpenVMS fileprotections to protect the key file, or you can use ACLs to protect individual keyfiles within a common directory.Directory Structure ChangedHP SSL V1.1 for OpenVMS has a different directory structure than theHP SSL field test kit (T1.0). The new directory structure is more consistentwith the structure of the OpenSSL kit from openssl.org. See Section 1.5 for thenew directory structure.If you previously installed the T1.0 kit, be sure to copy any certificates, keys, andconfiguration files from the old directory structure to the new directory structure.SSL$EXAMPLES Logical NameIn SSL V1.1, a new logical, SSL$EXAMPLES, has been added to the SSL$STARTUP.TEMPLATEcommand procedure. This logical points to the directory SYS$COMMON:[SYSHLP.EXAMPLES.SSL].DES_CBC_CKSUM Return Value Changed to Match KerberosThe return value of the DES_CBC_CKSUM API has changed to match its intended compatibility with MITKerberos. The DES_CBC_CKSUM routine returns the upper longword of a quadword. The quadworditself was calculated correctly, and has not been changed.Prior to the change (in Compaq SSL V1.0-B and earlier), the API returned the value in the wrong order.For example:3FUVSOWBMVFGSPNEFT@DCD@DLTVNYBFEDCIn SSL V1.1, the return value is as follows:3FUVSOWBMVFGSPNEFT@DCD@DLTVNYCEDBFThis change has been accepted by the OpenSSL.org, and will be available in the 0.9.7A release ofOpenSSL.DES Image Included in SSL V1.1In the SSL V1.1, an additional image is being made available, called DES.EXE, which is located in theSSL$EXE directory. Create a foreign symbol to access this new image, as follows:%&444-&9&%&4&9&The new DES image provides some functionality that is not present in the DES subcommand in theOPENSSL command line utility, most notably the ability to enable uuencoding and uudecoding.Following is the help text for the DES command and the DES subcommand in the OPENSSL commandline utility, which illustrates the differences between the commands.

$ DES -?‘?’ unknown flagdes [input-file [output-file]]options:-v : des(1) version number-e : encrypt using SunOS compatible user key to DES key conversion.-E : encrypt-d : decrypt using SunOS compatible user key to DES key conversion.-D : decrypt-c[ckname] : generate a cbc_cksum using SunOS compatible user key toDES key conversion and output to ckname (stdout default,stderr if data being output on stdout). The checksum isgenerated before encryption and after decryption if usedin conjunction with -[eEdD].-C[ckname] : generate a cbc_cksum as for -c but compatible with -[ED].-k key : use key ‘key’-h : the key that is entered will be a hexadecimal numberthat is used directly as the des key-u[uuname] :input file is uudecoded if -[dD] or output uuencoded data if -[eE](uuname is the filename to put in the uuencode header).-b : encrypt using DES in ecb encryption mode, the default is cbc mode.-3 : encrypt using triple DES encryption. This uses 2 keysgenerated from the input key. If the input key is lessthan 8 characters long, this is equivalent to normalencryption. Default is triple cbc, -b makes it triple ecb.$ OPENSSL DES -?unknown option ‘-?’options are-in input file-out output file-pass pass phrase source-e encrypt-d decrypt-a/-base64 base64 encode/decode, depending on encryption flag-k key is the next argument-kfilekey is the first line of the file argument-K/-iv key/iv in hex is the next argument-[pP]print the iv/key (then exit if -P)-bufsize buffer size-engine e use engine e, possibly a hardware device.Cipher Typesdes :56 bit key DES encryptiondes_ede : 112 bit key ede DES encryptiondes_ede3: 168 bit key ede DES encryptionrc2 :128 bit key RC2 encryptionbf :128 bit key Blowfish encryption-rc4 : 128 bit key RC4 encryption-des-ecb -des-cbc -des-cfb -des-ofb -des (des-cbc)-des-ede -des-ede-cbc -des-ede-cfb -des-ede-ofb -desx -none-des-ede3 -des-ede3-cbc -des-ede3-cfb -des-ede3-ofb -des3 (des-ede3-cbc)ÁEnvironment Variables

OpenSSL environmental variables have two formats, as follows:$var${var}In order for these variables to be parsed properly and not be confused with logicalnames, HP SSL only accepts the ${var} format.BIND Error in TCP/IP ApplicationIf you are running a TCP/IP-based SSL client/server application, the serveroccasionally fails to start up, and displays the following error message:bind: address already in useTo avoid this error, use setsockopt( ) with SO_REUSEADDR as follows:ÁÁÁÁJOUPOSFUTFUTPDLPQU MJTUFO@TPDL40-@40$,&540@3&64&"%%3 WPJEPOTJ[FPG POIDEA and RC5 Symmetric Cipher Algorithms Not SupportedThe IDEA and RC5 symmetric cipher algorithms are not available in HP SSLfor OpenVMS. Both of these algorithms are under copyright protection, andHP does not have the right to use these algorithms.If you want to use either of these algorithms, HP recommends that youcontact RSA Security at the following URL for the licensing conditions of the RC5algorithm:http://www.rsasecurity.comIf you want to use the IDEA algorithm, contact Ascom for their licenserequirements at the following URL:http://www.ascom.chOnce you have obtained the proper licenses, download the source code from thefollowing URL:http://www.openssl.orgBuild the product using the command procedure named MAKEVMS.COM providedin the download.APIs RAND_egd, RAND_egd_bytes, and RAND_query_egd_bytesNot SupportedThe RAND_egd( ), RAND_egd_bytes( ), and RAND_query_egd_bytes( ) APIsare not currently available on OpenVMS.To obtain a secure random seed on OpenVMS, use the RAND_poll( ) API.HP C++ V5.5 CANTCOMPLETE Warnings

When you compile programs that contain OpenSSL APIs, HP C++ Version5.5 issues warnings about incomplete classes. This error occurs when you use astructure definition before it has been defined. You can resolve these warnings inone of two ways:x Upgrade to C++ Version 6.0.xSupply the necessary prototype before using the structure.The following is an example of this error:ÅÁh‰‰wt„…IQ89BW0É4EEd8GSQB8RÁ„pƒ‡hÁÁÁÁÁÁ„…ƒ†h…Á6QXISHdi yw€hvd‡fw†pÁif…f(ÁÁÁÁÁÁcÁÁÁÁÁÁÆ6WWV64GS6HFIE8S8ÁByÁ…st„Áiphwfƒf…t€yÁ…spÁtyh€x wp…pÁhwf„„ÁÁÁÁÁÁÆyyfxpiÁ„…ƒ†h…''6QXISHdi yw€hvd‡fw†pÃÁÁÁÁÁÁhfyy€…ÁgpÁh€x wp…piÁgphf†„pÁt…Át„ÁiphwfƒpiÁˆt…styÁfÁÁÁÁÁÁhwf„„Á€ƒÁfÁq†yh…t€yÁ ƒ€…€… pÁÁÁÁÁÁf…ÁwtypÁy†xgpƒÁ#ÁtyÁqtwpÁÁÁÁÁÁ6QXISHÅQ8R'`HRRE5TBE7d!&d4EIA4d BG6ET78HI8GRREb6QXISHA( ÁDocumentation from the OpenSSL WebsiteThe documentation on the OpenSSL website is currently under development. It islikely that the API and command- line documentation shipped with this kit willdiffer from the documentation on the OpenSSL website at some point. If such asituation arises, you should consider the API documentation on the OpenSSLwebsite to have precedence over the documentation included in this kit.Use Certificate Tool for Certificate and Key CreationHP recommends the use of the Certificate Tool(SSL$COM:SSL$CERT_TOOL.COM) when creating certificates and keys totest your SSL application. The Certificate Tool provides both ease of use andconsistency when creating your certificates and keys to test and demonstrate yourSSL client and server application.nsCertType No Longer Written in CertificatesIn the SSL T1.0 field test kit, the Certificate Tool incorrectly set the nsCertTypefield with both server and client values. The field should have been set withone value, either server or client, but not both. In Version 1.1, this field is notset in the Certificate Tool. Your application is still able to pass certificates aseither server or client certificates, but object signing cannot be completed witha null nsCertType field.If object signing is required in your application, see the following paragraphsabout setting values in the nsCertType field.HP recommends that you delete the nsCertType field from the existingSSL$CONF:SSL$CA.CNF file by editing the file and deleting the line thatbegins with the following:nsCertType =

If you have an application that requires the nsCertType field, edit the fileSSL$CONF:SSL$CA.CNF and enter the value that your applicationrequires. If your application needs a certificate with the client nsCertTypefield value, enter the following:nsCertType = clientValid values for the nsCertType field are server, client, email, objsign,sslCA, emailCA, and objCA.Extra Certificate Files -- *.PEMWhen you sign a certificate request using either the Certificate Tool orthe OpenSSL utility, you may notice that an extra certificate is produced witha name similar to SSL$CRT01.PEM or 01.PEM. This certificate isthe same as the certificate that you produced with the name you chose.These extra files are the result of the OpenSSL demonstration CertificateAuthority (CA) capability, and are used as a CA accounting function.These extra files are kept by the CA and can be used to generateCertificate Revocation Lists (CRLs) if the certificate becomes compromised.INDEX.TXT and SERIAL.TXT LocationIn the COMPAQ SSL T1.0 field test kit, INDEX.TXT and SERIAL.TXTwere located in SSL$ROOT:[DEMOCA.PRIVATE]. In the HP SSLV1.0 kit, these files are located in SSL$ROOT:[DEMOCA].The location of INDEX.TXT and SERIAL.TXT is controlled by theOPENSSL-VMS.CNF file, and consumed by the OpenSSL utility andthe Certificate Tool as part of the OpenSSL demonstration CertificateAuthority database.