This page describes how to set up the tools that are needed to generate handles and certificates on Windows machines.

Install tools

You will need to install the following:

  • Java

  • net software

  • OpenSSL Software 

Install Java

To download and install Java, follow the instructions described in the Java website, selecting the “Windows online” version.

After installation, open the Command Prompt in administrator mode:

  1. Press Win+S on your keyboard.

  2. Type cmdin the search field.

  3. Righ-click Command Prompt and select Run as administrator

Then check to see if Java is working by by typing the following command in Command Prompt: 

java -version

If you receive the java version, then Java was correctly installed and you may proceed to the next step.

Install Handle.net software

Download the latest version of the Handle.net software from the Handle.Net Registry website.

Use 7-Zip to first unzip the .tar.gz file to a .tar file and then a second time to untar the file and extract the individual files. Note where the unzipped and untarred files are located.

Open the Command Prompt in administrator mode:

  1. Press Win+S on your keyboard.

  2. Type cmdin the search field.

  3. Righ-click Command Prompt and select Run as administrator

Change your working directory to the unzipped and untarred Handle.net software folder and then run the hdl-admintool command by typing:

cd <path_to_untarred_handle_folder>\handle-9.2.0\binhdl-admintool

If the Handle.net software is properly installed, a Java screen will appear. Stop it again by closing the window. 

Install OpenSSL software

Download the latest version of the OpenSSL software via this link.

Double-click on the downloaded .exe file to begin the installation process using the wizard, making sure to select Select Aditional Tasks and then the option to copy OpenSSL DLLs to “The OpenSSL binaries (/bin) directory”.

The installed files will be put in the folder C:\Program Files\OpenSSL-Win64.

Now we must set the environment variables permanently.

Begin by launching the Power User Task Menu:

  1. Press Win+R on your keyboard.

  2. type sysdm.cpl in the Run dialog box and hit Enter.

This will launch the System Properties dialogue. Go to the “Advanced” tab and click on “Environment variables”.

Set the Path variable by copying the settings as shown in the image:

Open the Command Prompt in administrator mode:

  1. Press Win+S on your keyboard.

  2. Type cmd in the search field.

  3. Right-click Command Prompt and select Run as administrator

Type the following into the command prompt:

openssl version

If you receive the OpenSSL version, then OpenSSL was correctly installed and you can proceed to the next step.

Generating the client certificate and private/public key pair

For authentication using client certificates, a special pair of keys and a certificate file are required. Follow these steps to create them for your users after receiving your prefix and index from SURF:

1. Create a private/public key pair

Go to the install directory and execute, replacing <index> and <prefix> with your provided index and prefix:

bash /.../handle-9.x.x/bin/hdl-keygen -alg rsa -keysize 4096 <prefix>_USER01_<index>_privkey.bin <prefix>_USER01_<index>_pubkey.bin

When it asks whether you want to encrypt the key, type ‘n’:

Would you like to encrypt your private key? (y/n) [y] n

2. Send the public key to SURF

Please send your public key file (e.g. 1000_USER01_310_pubkey.bin) to the SURF helpdesk or portal.

Address your message to the "SURF ePIC PID service team". Make sure to include your name, username, your public key and your assigned prefix on the handle system.

Wait until you have received confirmation that your public key file has been uploaded.

3. Transform the binary private key (.bin) to a .pem file

To transform your binary private key into a .pem file you can use the command line tool hdl-convert-key that is shipped together with the Handle.net system software.

Go to the install directory and execute:

bash /.../handle-9.x.x/bin/hdl-convert-key <prefix>_USER01_<index>_privkey.bin -o <prefix>_USER01_<index>_privkey.pem

4. Create the certificate file

Create the certificate using openssl, making sure to include the subject (-subj) following the convention of /CN=<index>:<prefix>\/USER01 (e.g. /CN=310:1000\/USER01) and output filename (-out) following the convention <prefix>_<username>_<index>_certificate_and_publickey.pem (e.g. 1000_USER01_310_certificate_and_publickey.pem):

openssl req -pubkey -x509 -new -sha256 -subj "/CN=<index>:<prefix>\/USER01" -days 3652 -key <prefix>_USER01_<index>_privkey.pem -out <prefix>_USER01_<index>_certificate_and_publickey.pem

5. Remove the public key from the certificate file

Execute the following command to remove the public key from the certificate file, replacing the filenames per previous steps:

openssl x509 -inform PEM -in <prefix>_USER01_<index>_certificate_and_publickey.pem -out <prefix>_USER01_<index>_certificate_only.pem

Results

If the previous instructions have been strictly followed, the following files have been generated:

<prefix>_USER01_<index>_privkey.pem
<prefix>_USER01_<index>_pubkey.bin
<prefix>_USER01_<index>_certificate_and_publickey.pem
<prefix>_USER01_<index>_certificate_only.pem

Or based on an example:

1000_USER01_310_privkey.pem
1000_USER01_310_pubkey.bin
1000_USER01_310_certificate_and_publickey.pem
1000_USER01_310_certificate_only.pem

Table of contents

  • No labels