Skip to main content

Tutorial: Create a server certificate

This tutorial shows how to use the createservercert.py script to create a server key pair (server key and server certificate) from your own CA certificate. Server private key generation should only be done by an administrator of the server. This example assumes you have administrator privileges on the subject server.

Optional steps

  1. Navigate to the <faircomInstallationDirectory>/drivers/certificates folder.

  2. At the command prompt, run the python createservercert.py command.

    You are prompted for the certificate validity duration in months. This is based on the current date.

  3. Enter the desired number of months.

    You are prompted for the hostname. This can be found by running the hostname command on the server. Windows, Linux, and MacOS all have the same command.

    The hostname is used as both the Common Name and the filename for the certificate.

  4. Enter the hostname.

    You are prompted for a filename containing the IP addresses and DNS names that will be included in the certificate Subject Alternative Name (SAN) list. The file should have one address per line.

  5. If you prefer to be prompted for these addresses, do not type anything here but press the Enter key instead, and you will be prompted for individual addresses. When done entering addresses manually, press Enter on a blank line to indicate you are done.

    Note

    Clients connecting to a server will inspect the addresses in the server certificate Subject Alternative Name list.  If the address the client connected to is not in this list, the client will abort the connection. Because of this, be sure to include every address that clients will use when connecting to this server. For convenience, you may want to also include loopback addresses.

    You will be prompted for an optional 2-letter country code.

  6. Enter exactly two letters (numbers are invalid). This will be part of the certificate Subject.

    Pressing Enter on a blank line will omit this component.

    You are prompted to enter an optional state or province for your company. This will be part of the certificate Subject.

  7. Enter the state or province of your company.

    Pressing Enter on a blank line will omit this component.

    You are prompted to enter an optional city for your company. This will be part of the certificate Subject.

  8. Enter the city where your company is located.

    Pressing Enter on a blank line will omit this component.

    You are prompted to enter an optional department within your company to associate this certificate with. This will be part of the certificate Subject.

  9. Enter a department name.

    Pressing Enter on a blank line will omit this component.

    You are prompted to enter an optional email address to associate with this certificate. This will be part of the certificate Subject.

  10. Enter an email address.

    Pressing Enter on a blank line will omit this component.

    A summary is displayed of all command-line options and values that will be used when the command to perform this operation is run. You may want to make a copy of this information, so you can repeat this exact run in the future. Only the serial number will be different.

  11. Press Enter to create the server certificate.

    The CA key pair is loaded and you will be notified when the server key pair has been generated and saved.

    The output files listed at the bottom will always show the absolute path to the files, even if relative paths were used throughout the program.

  12. Press Enter to exit.