DFcertReq

DFcertReq
Prev	4.2. Alphabetical Listing	Next

DFcertReq — Request an SSL certificate signing for DFedcservice.

Synopsis

DFcertReq

Description

DFcertReq is used to generate an SSL key and a signing request for use with DFedcservice. It must be run by root or datafax. DFserveradmin also provides this functionality in a point-and-click visual interface. Most administrators will find DFserveradmin to be the preferred interface for this task.

	Note
There is no requirement to use DFcertReq and DF/Net Research, Inc. as the SSL certificate signing authority. There are many standard, commercial certificate signing authorities (known as CAs) that are internationally recognized. For a small annual fee paid to the CA, they will sign your certificate. Their signed certificate can be used in your DFdiscover installation. Some clients prefer this approach of using an independent CA.

Note

There is no requirement to use DFcertReq and DF/Net Research, Inc. as the SSL certificate signing authority. There are many standard, commercial certificate signing authorities (known as CAs) that are internationally recognized. For a small annual fee paid to the CA, they will sign your certificate. Their signed certificate can be used in your DFdiscover installation. Some clients prefer this approach of using an independent CA.

DFexplore, DFsetup, DFadmin and DFsend communicate with DFedcservice using TLS (Transport Layer Security) ^[14] in the same way that Internet banking sites do. TLS provides an encrypted path through the internet that prevents eavesdropping and modification of your data by third parties. The client applications check that they are communicating with the correct DFdiscover server by means of a certificate that encodes the DFdiscover server's name and ownership. This certificate is generated by choosing a very large random number (specifically a 4096-bit RSA key), adding organizational ownership information to it and then requesting that DF/Net Research, Inc. certify this key as authentic. Subsequently when an DFexplore, DFsetup DFadmin or DFsend client connects to DFedcservice, it asks for this certificate and can then determine whether it is communicating in an encrypted manner with the correct server.

The process of generating a certificate starts with the execution of the DFcertReq script. This script generates a large random number and then prompts for organizational information, including the country, state, organization name and server name.

	Important
	It is extremely important that the organizational information is up-to-date and accurate. Client applications may view this information to confirm the server's identity and certificate status.

The organizational information is combined with the large random number to create a unique certificate signing request text file. An email is created for <certreq@dfnetresearch.com> containing a request to certify that this is an authentic DFdiscover server. DF/Net Research, Inc. processes this request and emails back a small file containing the certificate, which is then installed in the DFdiscover system. At the end of these steps, communication between the DFexplore, DFsetup, DFadmin and DFsend client applications is encypted and secure.

DFcertReq will fail to email the signing request if the computer from which it is run is unable to send email via the internet. In this case, it is possible to manually generate the request by:

Transferring the files /tmp/cert.csr.text and /tmp/cert.csr, that are generated by DFcertReq, to an email enabled computer. Remember to perform the transfer in binary mode if using an application like ftp.
Attach the two transferred files to a new email message and send it to <certreq@dfnetresearch.com>.

Impact on Login Dialog Banner

At the time of executing DFcertReq, if there is no /opt/dfdiscover/lib/DFlogin.html file present, DFcertReq will also create the file, adding the organizational information collected from the user's responses. Subsequently, this information appears in the banner of each DFdiscover login dialog. To override this behaviour, before executing DFcertReq, create your own login banner message in /opt/dfdiscover/lib/DFlogin.html.

Options

None.

Exit Status

DFcertReq exits with one of the following statuses:

Always.

Examples

Example 4.1. Creating a DFedcservice SSL certificate and signing request

# DFcertReq
*****************************************************************
* When asked for 'DFdiscover Server Name (fully qualified domain name)'
* type the full name of the machine (e.g. dfdiscover.mycompany.com)
* as it is called from the Internet.
*****************************************************************
----------------- Generating Server Key ----------------
Generating RSA private key, 4096 bit long modulus (2 primes)
...............................................++++++
..................++++++
e is 65537 (0x10001)
----------------- Decrypting Server Key ----------------
writing RSA key
----------------- Generating Server Signing Request ----------------

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) []:California
Locality Name (eg, city) []:San Diego
Organization Name (eg, company) []:Pharmadrug Biotech Inc.
Organizational Unit Name (eg, section) [Research]:
DFdiscover Server Name (fully qualified domain name) [dfdiscover.your-company.com]:dfdiscover.pharmadrug.com
Email Address [support@your-company.com]:support@pharmadrug.com

Emailing certificate signing request to DF/Net Research, Inc...

Once the certificate has been signed it will be emailed back to you.

^[14]Specifically, TLS v1.2 or v1.3 is used.

Prev	Up	Next
DFaddHylaClient	Home	DFclearIncoming