How to Create the PKCS12 file and including SSL Certificate and Key through OpenSSL

-

When you are requiring to enable a secured connection for your web application or device that you need to have a PKCS12 file in order to encrypt and authenticate the data.

Especially, in SAP Business One is required to have a PKCS12 certificate for its services such as SLD, Browser Access and Service Layer, etc. Refer to the below steps to generate .p12 file for SAP Business One installation. 

PKCS12

Before moving to dive, let's clear doubts in major areas.

What protocols are used to facilitate secured communication?

Mainly there are two protocols such as SSL "Secure Sockets Layer" and TLS "Transport Layer Security" that are used to secure the connection and it enables data encryption, integrity, and authentication.

How do you identify that data has not been read and has not been changed by someone?

To overcome these problems, the SSL/TLS uses data encryption and digital signature to identify the sender and make sure data has not been changed. The encrypted data can't be read and can't be changed. 

Asymmetric encryption and symmetric encryption 

The popular encryption method is asymmetric encryption because it uses two keys one for encrypting which is the public key and another one for decrypt which is the private key.

Symmetric encryption uses a single key to encrypt and decrypt the data. However, asymmetric encryption is more secured than symmetric.

Keys are simply numbers such as 128 bit is the common length that is combined with the message using a particular method known as an algorithm- e.g. RSA, to either encrypt or sign the message.

Then keys and SSL/TLS certificates

SSL and TLS use public and private keys to encrypt the data because the public key is publicly available and it is important to know identity and trust a particular public key belongs to the person/entity that it claims. Hence, the digital certificate is used to identify those credentials that are verified by a trusted authority. (Digital Sign seems to be an ID card and Trusted Authority seems to be Government Department).

Actually, the digital certificate provides a link between a public key and an entity like a business, domain name, etc. It has been verified (signed) by a trusted authority that it is named as a trusted root certificate authority.

The digital certificate enables a convenient way of distributing trusted public encryption keys.

How do you get the digital certificate?

Same as requesting and getting the ID card from the Government Authority, you must request the certificate from the Trusted Root Certificate Auntority and it will issue the signed certificate according to the request. 

1st you create your public key file and add details in the form and submit to the Certificate Authority. (Request)

2nd It checks the details and signs the certificate by enclosing the key.

When someone wants your public keys, you send them the certificate, they verify the signature on the certificate, and if it verifies, then they can trust your keys.

How does it happen for PKCS12?

PKCS#12 uses the RSA algorithm to package the private key and certificate for secured communication through SSL.

Once you have the PKCS#12 file, you can install the CA certificate in the relevant Certificate Stores as a Trusted Root Certificate. 

To do such a process we need to install the OpenSSL on your machine. You can download the installer through this website http://slproweb.com/products/Win32OpenSSL.html.

After that, you can install those binaries under C:/Program Files/OpenSSL-Win64


Now, you can start to create the certificate file.

1-You need to set 2 environmental variables in the command prompt.

C:\>set RANDFILE=c:\demo\.rnd

C:\>set OPENSSL_CONF=C:\Program Files\OpenSSL-Win64\bin\openssl.cfg


2-Now you can start OpenSSL

C:\Program Files\OpenSSL-Win64\bin>cd

C:\Program Files\OpenSSL-Win64\bin

C:\Program Files\OpenSSL-Win64\bin\openssl.exe

OpenSSL>


3-Run below command to generate 2048 bit key file with name ca.key. 

A key file will be used for the generation of CSR. During the process, it will ask you for entering a password that will be assigned within the key file. This password you need to apply while generating CSR.

OpenSSL> genrsa -des3 -out ca.key 2048

Generating RSA private key, 2048 bit long modulus (2 primes)

.............................................................................................................................................+++++

..................+++++

e is 65537 (0x010001)

Enter pass phrase for ca.key:

Verifying - Enter pass phrase for ca.key:


4-Now you can generate a CSR file using the key file that we have generated in the previous step.

Note, the sha256 will generate CSR with the SHA2 algorithm, generally, it is preferred. If -sha256 argument is not supplied, CSR will be generated with SHA1 which is outdated and is not preferred.

This process will ask you for entering a password that you have entered in the key file and you have to fill in the following information too.

OpenSSL> req -new -key ca.key -out ca.csr -sha256

Enter pass phrase for ca.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:SL

State or Province Name (full name) [Some-State]:Western

Locality Name (eg, city) []:Colombo

Organization Name (eg, company) [Internet Widgits Pty Ltd]:ABC Holdings Pvt Ltd

Organizational Unit Name (eg, section) []:Division

Common Name (e.g. server FQDN or YOUR name) []:VMS07

Email Address []:sap@abcholdings.lk

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:abcdef

An optional company name []:VMS07


5-Next, you can generate a self-signed certificate based on the request.

OpenSSL> x509 -req -days 3650 -in ca.csr -signkey ca.key -out sld.crt

Signature ok

subject=C = SL, ST = Western, L = Colombo, O = ABC Holdings Pvt Ltd, OU = Division, CN = VMS07, emailAddress = sap@abcholdings.lk

Getting Private key

Enter pass phrase for ca.key:


6- Finally, you can generate a PKCS#12 file by enclosing the key and certifcate.

OpenSSL> pkcs12 -export -out sld.p12 -inkey ca.key -in sld.crt -chain -CAfile sld.crt

Enter pass phrase for ca.key:

Enter Export Password:

Verifying - Enter Export Password:

OpenSSL> 

You can see the generated certificate and file in the folder C:/Program Files/OpenSSL-Win64/bin

Comments

Post a Comment

Popular posts from this blog

How to clearly identify the "Cancellation" document in SAP Business One

-
Image
How to clearly identify the "Cancellation" document in SAP Business One When raising a cancellation document against an AR or AP document, it shows the status as closed with "Cancellation" in the new cancellation document, and the canceled document's status shows as Canceled. But, when you write a query report in SAP Business One how could you significantly identify the canceled document and cancellation document against the right one. Referring one by one in each document is a difficult one and there should be the easiest way to identify the cancellation. What would be the best practice? If you plan to implement an SAP B1 with number series, it is good to configure a separate number series for the Cancellation Document. Unless those cancellation documents will get the exiting number series and it is difficult to find which document would be canceled with the number series. There is an option in the Document Numbering - Setup called "Cancellation" und...
Read more

How to add "If" and "Else" conditional formula in PLD at SAP Business One ?

-
Image
It is effective to maintain SAP Business One PLDs for print layout requirements. Sometimes, companies require complex scenarios match to the PLDs and get the printouts. Limitation in PLD There is no "If" and "Else" conditional formula in SAP Business One at Print Layout Designer. But, it is an essential conditional statement to display some values in the fields according to the conditions. Thereby, we would like to introduce a workaround method to apply the "If "condition at PLD by overcoming such limitations. What is the scenario? Our scenario is, display the "Ship To" and "Deliver To" in the purchase order PLD according to the vendor type like "Foreign Vendor" and "Local Vendor". If the PO has been raised for Local Vendor, the "Delivery To" statement has to be mentioned in the layout, else Foreign Vendor, the "Ship To" statement has to be mentioned in the layout. Solution We would create for n...
Read more