Creating SSL Certificates
Downloading the NSS Tools
Before creating the certificates, go to the Mozilla Network Security Services (NSS) ftp site and download the open source NSS utilities (e.g., nss-3.12.4.zip) for creating SSL certificates.
To download the NSS tools
- In a web browser, go to the NSS FTP directory at: ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_4_RTM/msvc9/WINNT5.1_OPT.OBJ
- Select the zip file (e.g., nss-3.12.4.zip). The File Download dialog box appears.
- Select a path and directory to save the zip file (e.g., <root drive>:nss 3.12.4) and click Save
- Extract the files from the zip file and save them in the directory you created (e.g., <root drive>:nss 3.12.4).
- Open a Windows cmd window
- Enter the following to set the "path" environment variable to include both the "bin" and "lib" sub-directories under the NSS working folder: set path=c:nss 3.12.4bin;c:nss 3.12.4lib
Creating SSL Certificates for the FIXML Session
TT recommends contacting your Technical Account Manager (TAM) for assistance when creating SSL certificates.
To create SSL certifcates for the FIXML Session
- Type and enter: cd <root drive>:<path to NSS tools>bin
- Create a directory for the certificate database
by entering the following command: mkdir <certficate directory>
- Create the certificate database by entering: certutil -N -d <certificate directory>
certutil -N -d cert_db
You will be prompted to create a password for the database; record the password as it will be used later to generate the certificate.
- Generate a self-signed certificate by entering: certutil -S -d <certificate directory>
-s "CN=<Account ID>" -n <certificate name> -x -t "P,," -v
12 -g 2048 -Z SHA512
certutil -S -d cert_db -s “CN=ABCFR_TTGXVFOBB” -n cert_eurex -x -t “P,,” -v 12 -g 2048 -Z SHA512
Note: For a description of certutil options and arguments, refer to: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS .
The -v argument sets how many months the certificate is valid. For more details, refer to Certificate Expiration.
When prompted, enter the certificate database password.
After entering the password, continue typing random characters from the keyboard until the progress meter is full. Refer to the following figure.
- Verify that the certificate has been created
in the database by entering: certutil -L -d <certificate directory>
-n <certificate name>
certutil -L -d cert_db -n cert_eurex
Record the dates that the certificate is valid so that you can recreate it before it expires. The dates are listed in the “Validity:” section of the certificate displayed on the screen after entering the certutil -L command.
- To export the certificate to a public key file,
type and enter: certutil
-L -d <certificate directory> -n <certificate name> -a > <filename>.crt
certutil -L -d cert_db -n cert_eurex -a > cert_eurex_public.crt
- To export the certificate to a private key file,
type and enter: pk12util
-d <certificate directory> -n <certificate name> -o <private
key filename> -W <certificate file password>
pk12util -d cert_db -n cert_eurex -o cert_privkey.p12 -W auth
NOTE: The private key filename is user-defined and does not require a filename extension, but will work correctly if one is added (e.g., cert_privkey.p12, certificate.key, etc.).
After entering the command, enter a certificate file password at the prompt. The certificate file password can be different from the certificate database password, and is used by the GMEX Gateway for decrypting the file locally on the gateway machine.
Record the certificate file password that you created; this password will be used to configure the FIXML session on the GMEX Gateway.
Saving the Certificates on the GMEX Gateway
The FIXML Listener connection also requires that the gateway authenticates the server certificates of the Eurex AMQP brokers before the SSL sessions can be established. Eurex’s public key files for the exchange brokers are installed automatically on your machine during a GMEX Gateway install or upgrade.
To ensure that the private key file and Eurex’s public key are accessible to the gateway, both certificates should be stored in the same location on the GMEX Gateway (e.g., <root drive>:ttconfig).
When configuring the FIXML session on the gateway, the location of the private certificate is set using the client_certificate_file parameter in hostinfo.cfg. The Eurex public certificates are installed in the config directory automatically during clean installs and upgrades.
The validation period of the certificates is set using the -v <valid months> argument that was used when creating the certificates. TT recommends 12 months (-v 12), but the maximum is 36 months. Newer client certificates need to be created when the old ones expire.
For the Eurex server certificates, they will release new ones once their old ones expire.
To check the validity dates of your private certificate, enter the following:
- cd <root drive>:<path to NSS tools>bin
-l <filename>.p12 -W <certificate file password>
The dates are listed in the “Validity:” section of the certificate displayed on the screen.
The following is documentation for using the Certificate Database Tools:
- Eurex Clearing Interface -- Connectivity (Section 4.1): http://www.eurexclearing.com/blob/846486/50ac9d9aa9a1a4727fec5349bd82357e/data/eurex_clearing_messaging_connectivity_A_v140.pdf
- Mozilla Network Security Services Tools (NSS): http://www.mozilla.org/projects/security/pki/nss/index.html
- certutil: http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html#1035544
- pk12util: http://www.mozilla.org/projects/security/pki/nss/tools/pk12util.html