Key and certificate generation
To generate a certificate and private key for your server:
P4SSLDIRto a valid directory in a secure location. The directory specified by
P4SSLDIRmust be secure: owned by the same userid as the one generating the key pair, and it must not be readable by any other user.
Optionally, create a file named
P4SSLDIRdirectory before running
p4d -Gc, and format the file as follows:
# C: Country Name - 2 letter code (default: US) C = # ST: State or Province Name - full name (default: CA) ST = # L: Locality or City Name (default: Alameda) L = # O: Organization or Company Name (default: Helix Autogen Cert) O = # OU = Organization Unit - division or unit OU = # CN: Common Name (usually the DNS name of the server) # (default: the current server's DNS name) CN = # EX: number of days from today for certificate expiration # (default: 730, that is, 2 years) EX = # UNITS: unit multiplier for expiration (defaults to "days") # Valid values: "secs", "mins", "hours" UNITS =
Generate the certificate and key pair with the following command:
config.txt) has been correctly configured, and if no existing private key or certificate is found, two files, named
certificate.txt, are created in
config.txtfile is not present, the following default values are assumed, and a certificate is created that expires in 730 days (two years, excluding leap years).
C=US ST=CA L=Alameda O=Helix Autogen Cert OU= CN=the-DNS-name-of-your-server EX=730 UNITS=days
Generate a fingerprint for your server’s key and certificate pair.
This command displays the fingerprint of the server’s public key, and then exits.
Record your server’s fingerprint for your own records and communicate it to your users via an out-of-band communications channel.
If a Helix server application reports a different fingerprint (and you have not recently installed a new certificate and key pair), your users should consider such changes as evidence of a potential man-in-the-middle threat.
Helix server can use self-signed certificates, you may also use third-party
tools such as OpenSSL or PuTTY to generate the key pairs, or supply
your own key pair. The
p4d -Gf command accepts
If you are supplying your own key, your
certificate.txt files in
P4SSLDIR must be
PEM-encoded, with the private key file stripped of passphrase
Whether you supply your own key and certificate pair or generate one
p4d -Gc, it is imperative that these
files are stored in a secure location that is readable only by the