Try TT Now

Creating SSL Certificates

Downloading the NSS Tools

Before creating the certificates, go to the Mozilla Network Security Services (NSS) ftp site and download the open source NSS utilities (e.g., for creating SSL certificates.

To download the NSS tools

  1. In a web browser, go to the NSS FTP directory at:
  2. Select the zip file (e.g., The File Download dialog box appears.
  3. Select a path and directory to save the zip file (e.g., <root drive>:nss 3.12.4) and click Save
  4. Extract the files from the zip file and save them in the directory you created (e.g., <root drive>:nss 3.12.4).
  5. Open a Windows cmd window
  6. Enter the following to set the "path" environment variable to include both the "bin" and "lib" sub-directories under the NSS working folder: set path=c:nss 3.12.4bin;c:nss 3.12.4lib

Creating SSL Certificates for the FIXML Session


TT recommends contacting your Technical Account Manager (TAM) for assistance when creating SSL certificates.

To create SSL certifcates for the FIXML Session

  1. Type and enter: cd <root drive>:<path to NSS tools>bin
  2. Create a directory for the certificate database by entering the following command: mkdir <certficate directory>


    mkdir cert_db

  3. Create the certificate database by entering: certutil -N -d <certificate directory>


    certutil -N -d cert_db

    The following figure shows the output response from this command:


    You will be prompted to create a password for the database; record the password as it will be used later to generate the certificate.

  4. Generate a self-signed certificate by entering: certutil -S -d <certificate directory> -s "CN=<Account ID>" -n <certificate name> -x -t "P,," -v 12 -g 2048 -Z SHA512


    certutil -S -d cert_db -s “CN=ABCFR_TTGXVFOBB” -n cert_eurex -x -t “P,,” -v 12 -g 2048 -Z SHA512

    Note: For a description of certutil options and arguments, refer to: .

    The -v argument sets how many months the certificate is valid. For more details, refer to Certificate Expiration.

    When prompted, enter the certificate database password.

    After entering the password, continue typing random characters from the keyboard until the progress meter is full. Refer to the following figure.

  5. Verify that the certificate has been created in the database by entering: certutil -L -d <certificate directory> -n <certificate name>


    certutil -L -d cert_db -n cert_eurex

    The following figure shows the command response:


    Record the dates that the certificate is valid so that you can recreate it before it expires. The dates are listed in the “Validity:” section of the certificate displayed on the screen after entering the certutil -L command.

  6. To export the certificate to a public key file, type and enter: certutil -L -d <certificate directory> -n <certificate name> -a > <filename>.crt


    certutil -L -d cert_db -n cert_eurex -a > cert_eurex_public.crt

  7. To export the certificate to a private key file, type and enter: pk12util -d <certificate directory> -n <certificate name> -o <private key filename> -W <certificate file password>


    pk12util -d cert_db -n cert_eurex -o cert_privkey.p12 -W auth

    NOTE: The private key filename is user-defined and does not require a filename extension, but will work correctly if one is added (e.g., cert_privkey.p12, certificate.key, etc.).

    Command response:

    After entering the command, enter a certificate file password at the prompt. The certificate file password can be different from the certificate database password, and is used by the GMEX Gateway for decrypting the file locally on the gateway machine.


    Record the certificate file password that you created; this password will be used to configure the FIXML session on the GMEX Gateway.

Saving the Certificates on the GMEX Gateway

The FIXML Listener connection also requires that the gateway authenticates the server certificates of the Eurex AMQP brokers before the SSL sessions can be established. Eurex’s public key files for the exchange brokers are installed automatically on your machine during a GMEX Gateway install or upgrade.

To ensure that the private key file and Eurex’s public key are accessible to the gateway, both certificates should be stored in the same location on the GMEX Gateway (e.g., <root drive>:ttconfig).

When configuring the FIXML session on the gateway, the location of the private certificate is set using the client_certificate_file parameter in hostinfo.cfg. The Eurex public certificates are installed in the config directory automatically during clean installs and upgrades.

Certificate Expiration

The validation period of the certificates is set using the -v <valid months> argument that was used when creating the certificates. TT recommends 12 months (-v 12), but the maximum is 36 months. Newer client certificates need to be created when the old ones expire.

For the Eurex server certificates, they will release new ones once their old ones expire.

To check the validity dates of your private certificate, enter the following:

  • cd <root drive>:<path to NSS tools>bin
  • pk12util -l <filename>.p12 -W <certificate file password>

    The dates are listed in the “Validity:” section of the certificate displayed on the screen.


The following is documentation for using the Certificate Database Tools: