H9.1. Digital Keys and Certificates Generation Utility

The following console versions of the digital keys and certificates generation utility are provided:

The start instruction format

•drwsign check [-public-key=<public_key>] <file>

Check the specified file signature using a public key of a person who signed this file.

•drwsign extract [-private-key=<private_key>] [-cert=<Server_certificate>] <public_key>

Extract the public key from the private key file or from the certificate and write the public key to the specified file.

The -private-key and -cert switches are mutually exclusive, i.e. only one switch can be set; if both switches are set at the same time, the command with fail to execute.

The switches parameter must be obligatory specified.

If none of the switches is set, the -private-key=drwcsd.pri is used to extract the public key of the drwcsd.pri private key.

•drwsign genkey [<private_key> [<public_key>]]

Generate the public—private pair of keys and write them to the correspondent files.

•drwsign gencert [-private-key=<private_key>] [-subj=<subject_fields>] [-days=<validity_period>] [<self_signed_certificate>]

Generate self-signed certificate using the Server private key and write it to the corresponding file.

•drwsign gencsr [-private-key=<private_key>] [-subj=<subject_fields>] [<certificate_sign_request>]

Generate the request for the certificate sign basing on the private key and write this request into corresponding file.

Can be used to sing the certificate of other server, e.g. to sign the Proxy server certificate by the Dr.Web Server key.

To sign such request, use the signcsr switch.

•drwsign genselfsign [-show] [-subj=<subject_fields>] [-days=<validity_period>] [<private_key> [<self_signed_certificate>]]

Generate self-signed RSA certificate and RSA private key for a web server and write them into the corresponding files.

The -show switch prints certificate content in a readable view.

•drwsign hash-check [-public-key=<public_key>] <hash_file> <sign_file>

Check the sign of the specified 256-bit number in the client-server protocol format.

In the <hash-file>, the file with 256-bit number to sing is specified. The <sign_file> is a sign result  (two 256-bit numbers).

•drwsign hash-sign [-private-key=<private_key>] <hash_file> <sign_file>

Sign the specified 256-bit number in the client-server protocol format.

In the <hash-file>, the file with 256-bit number to sing is specified. The <sign_file> is a sign result  (two 256-bit numbers).

•drwsign help [<comand>]

Brief help on the program or on the specific command in the command line format.

•drwsign sign [-private-key=<private_key>] <file>

Sign the <file> using the private key.

•drwsign signcert [-ca-key=<private_key>] [-ca-cert=<Server_certificate>] [-cert=<certificate_to_sign>] [-days=<validity_period>] [<signed_certificate>]

Sign the existing <certificate_to_sign> by the private key and the certificate of the Server. Signed certificate is saved into the separate file.

Can be used to sing the Proxy server certificate by the Dr.Web Server key.

•drwsign signcsr [-ca-key=<private_key>] [-ca-cert=<Server_certificate>] [-csr=<certificate_sign_request>] [-days=<validity_period>] [<signed_certificate>]

Sign the <certificate_sign_request> generated by the gencsr command, using the private key and the certificate of the Server. Signed certificate is saved into the separate file.

Can be used to sing the certificate of other server, e.g. to sign the Proxy server certificate by the Dr.Web Server key.

•drwsign tlsticketkey [<TLS_ticket>]

Generate TLS_ticket.

Can be used in the Servers cluster for shared TLS sessions.

•drwsign verify [-ss-cert] [-CAfile=<Server_certificate>] [<certificate_to_check>]

Validate certificate by trusted certificate of the Server.

The -ss-cert switch prescribes to ignore the trusted certificate and validate self-signed certificate only.

•drwsign x509dump [<certificate_to_print>]

Print the dump of any x509 certificate.