OpenVMS Source Code Demos
$! title : MYSQL055_ROOT:[certs]CREATE_CERTS_ALT.COM
$! author : Neil Rieck
$! created: 2018-05-07 (derived from "MYSQL055_ROOT:[certs]" from Mark Berryman)
$! notes :
$! 1) Certificate authority (CA) routines should never be run more than once
$! 2) If you run CA routines now then the resulting ca-cert.pem will need to be redistributed to end clients
$! 3) The newest rules for OpenSSL-1.0 and up require a different CN between CA-certs and server-certs
$! 4) OpenVMS usually creates text files with "Record attributes: Carriage return carriage control"
$! but internet software (which is usually written in "C") prefers text files in Stream_LF
$! 5) On OpenVMS, the PIPE command is only used to properly process the ">" character in the OpenSSL command line
$! 6) On newer OpenVMS systems you may find two OpenSSL environments
$ say :== write sys$output ! VMS only
$ ask :== inquire/nopunct ! VMS only
$ say "-i-script: ",f$environment("PROCEDURE") ! VMS only
$ myterm = f$trnlnm("SYS$COMMAND") ! VMS only
$ set proc/parse_style=extended ! VMS only
$ fdl = "File; Organization Sequential; Record; Format Stream_LF" ! VMS only
$ on error then goto OOPS ! VMS only
$ if f$search("ssl1$exe:openssl.exe") .nes. "" ! VMS only
$ then ! VMS only
$ openssl := $ssl1$exe:openssl ! VMS only
$ else ! VMS only
$ openssl := $ssl$exe:openssl ! VMS only
$ endif ! VMS only
$ openssl version !
$ say "----------------------------------------------------------------"
$ say "CAVEATS:
$ say "1) certificate authority (CA) routine must only be run once"
$ say "2) if you run CA routines now then ca-cert.pem will need to be"
$ say " redistributed to remote clients"
$ say "3) Newest rules for OpenSSL-1.0 and up require a different CN"
$ say " for ca-cert.pem and server-cert.pem so type carefully"
$ say "----------------------------------------------------------------"
$ say "recommendation: you should now type: Y"
$ ask choice "skip CA routines? (N/Y, default=Y) "
$ choice = f$edit(choice,"UPCASE")
$ if (choice.nes."N") then goto skip_ca
$! CA (certificate authority) routines
$ say "================================================"
$ say "-i-executing CA (certificate authority) routines"
$ say "================================================"
$! create a "certificate authority key"
$ define/user sys$input 'myterm' ! vms only
$ pipe openssl genrsa 2048 > ca-key.pem
$ convert/fdl="''fdl'" ca-key.pem []; ! vms only
$! create a "certificate authority cert"
$ define/user sys$input 'myterm' ! vms only
$ pipe openssl req -new -x509 -nodes -days 3600 -key ca-key.pem > ca-cert.pem
$ convert/fdl="''fdl'" ca-cert.pem []; ! vms only
$! standard certificate routines
$ say "============================"
$ say "-i-executing server routines"
$ say "============================"
$! create "server key" and "server cert request"
$ define/user sys$input 'myterm' ! vms only
$ pipe openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem 'extra' > server-req.pem
$ convert/fdl="''fdl'" server-req.pem [];
$! use "certificate authority cert" to sign the "server cert request"
$ pipe openssl x509 -req -in server-req.pem -days 3600 -"CA" ca-cert.pem -"CAkey" ca-key.pem -set_serial 01 > server-cert.pem
$ convert/fdl="''fdl'" server-cert.pem [];
$! adios
$ say "================================================"
$ say "-i-all done"
$ say "================================================"
$ ask choice "cleanup this directory? (N/Y, default=N) "
$ choice = f$edit(choice,"UPCASE")
$ if (choice.nes."Y") then goto skip_cleanup
$ Purge/NoLog/noconf *.pem ! remove older versions
$ Rename/NoLog/noconf *.pem ;1 ! rename current versions to "1"
$ say "-i-caveat: you would be wise to rename files like so:"
$ say " $rename server-key.pem server-key_hostname.pem"
$ say " $rename server-req.pem server-req_hostname.pem"
$ say " $rename server-cert.pem server-cert_hostname.pem"
$ say "...where hostname is derived from FQDN entered into the Common Name field"
$ goto fini
$ write sys$output "hit OOPS (not good)"
$ set proc/parse_style=traditional ! VMS only
$ say "-i-exiting script"
$ exit

Back to
Neil Rieck
Waterloo, Ontario, Canada.