H9.1. Digital Keys and Certificates Generation Utility

The following console versions of the digital keys and certificates generation utility are provided:

Executable file

Location

Description

drweb-sign-<OS>-<bitness>

Control Center, the Administration → Utilities section

Independent version of the utility. Can be launched from any directory or on any computer with corresponding operating system.

The webmin/utilities Server directory

drwsign

The bin Server directory

Utility version depends on server libraries. Can be launched only from its location directory.

info

The drweb-sign-<OS>-<bitness> and drwsign version of the utility are similar in their functions. Further in the section, the drwsign version is given, but all examples are relevant for both versions.

The start instruction format

drwsign check [-public-key=<public_key>] <file>

Check the specified file signature using a public key of a person who signed this file.

Switch parameter

Default value

<public_key>

drwcsd.pub

drwsign extract [-private-key=<private_key>] [-cert=<Server_certificate>] <public_key>

Extract the public key from the private key file or from the certificate and write the public key to the specified file.

The -private-key and -cert switches are mutually exclusive, i.e. only one switch can be set; if both switches are set at the same time, the command with fail to execute.

The switches parameter must be obligatory specified.

If none of the switches is set, the -private-key=drwcsd.pri is used to extract the public key of the drwcsd.pri private key.

Switch parameter

Default value

<private_key>

drwcsd.pri

drwsign genkey [<private_key> [<public_key>]]

Generate the public—private pair of keys and write them to the correspondent files.

Switch parameter

Default value

<private_key>

drwcsd.pri

<public_key>

drwcsd.pub

warning

The utility version for Windows platforms (in contrast to UNIX versions) does not protect private keys from copying.

drwsign gencert [-private-key=<private_key>] [-subj=<subject_fields>] [-days=<validity_period>] [<self_signed_certificate>]

Generate self-signed certificate using the Server private key and write it to the corresponding file.

Switch parameter

Default value

<private_key>

drwcsd.pri

<subject_fields>

/CN=<hostname>

<validity_period>

3560

<self_signed_certificate>

drwcsd-certificate.pem

drwsign gencsr [-private-key=<private_key>] [-subj=<subject_fields>] [<certificate_sign_request>]

Generate the request for the certificate sign basing on the private key and write this request into corresponding file.

Can be used to sing the certificate of other server, e.g. to sign the Proxy server certificate by the Dr.Web Server key.

To sign such request, use the signcsr switch.

Switch parameter

Default value

<private_key>

drwcsd.pri

<subject_fields>

/CN=<hostname>

<certificate_sign_request>

drwcsd-certificate-sign-request.pem

drwsign genselfsign [-show] [-subj=<subject_fields>] [-days=<validity_period>] [<private_key> [<self_signed_certificate>]]

Generate self-signed RSA certificate and RSA private key for a web server and write them into the corresponding files.

The -show switch prints certificate content in a readable view.

Switch parameter

Default value

<subject_fields>

/CN=<hostname>

<validity_period>

3560

<private_key>

private-key.pem

<self_signed_certificate>

certificate.pem

drwsign hash-check [-public-key=<public_key>] <hash_file> <sign_file>

Check the sign of the specified 256-bit number in the client-server protocol format.

In the <hash-file>, the file with 256-bit number to sing is specified. The <sign_file> is a sign result  (two 256-bit numbers).

Switch parameter

Default value

<public_key>

drwcsd.pub

drwsign hash-sign [-private-key=<private_key>] <hash_file> <sign_file>

Sign the specified 256-bit number in the client-server protocol format.

In the <hash-file>, the file with 256-bit number to sing is specified. The <sign_file> is a sign result  (two 256-bit numbers).

Switch parameter

Default value

<private_key>

drwcsd.pri

drwsign help [<comand>]

Brief help on the program or on the specific command in the command line format.

drwsign sign [-private-key=<private_key>] <file>

Sign the <file> using the private key.

Switch parameter

Default value

<private_key>

drwcsd.pri

drwsign signcert [-ca-key=<private_key>] [-ca-cert=<Server_certificate>] [-cert=<certificate_to_sign>] [-days=<validity_period>] [<signed_certificate>]

Sign the existing <certificate_to_sign> by the private key and the certificate of the Server. Signed certificate is saved into the separate file.

Can be used to sing the Proxy server certificate by the Dr.Web Server key.

Switch parameter

Default value

<private_key>

drwcsd.pri

<Server_certificate>

drwcsd-ca-cerificate.pem

<certificate_to_sign>

drwcsd-certificate.pem

<validity_period>

3560

<signed_certificate>

drwcsd-signed-certificate.pem

drwsign signcsr [-ca-key=<private_key>] [-ca-cert=<Server_certificate>] [-csr=<certificate_sign_request>] [-days=<validity_period>] [<signed_certificate>]

Sign the <certificate_sign_request> generated by the gencsr command, using the private key and the certificate of the Server. Signed certificate is saved into the separate file.

Can be used to sing the certificate of other server, e.g. to sign the Proxy server certificate by the Dr.Web Server key.

Switch parameter

Default value

<private_key>

drwcsd.pri

<Server_certificate>

drwcsd-cerificate.pem

<certificate_sign_request>

drwcsd-certificate-sign-request.pem

<validity_period>

3560

<signed_certificate>

drwcsd-signed-certificate.pem

drwsign tlsticketkey [<TLS_ticket>]

Generate TLS_ticket.

Can be used in the Servers cluster for shared TLS sessions.

Switch parameter

Default value

<TLS_ticket>

tickets-key.bin

drwsign verify [-ss-cert] [-CAfile=<Server_certificate>] [<certificate_to_check>]

Validate certificate by trusted certificate of the Server.

The -ss-cert switch prescribes to ignore the trusted certificate and validate self-signed certificate only.

Switch parameter

Default value

<Server_certificate>

drwcsd-certificate.pem

<certificate_to_check>

drwcsd-signed-certificate.pem

drwsign x509dump [<certificate_to_print>]

Print the dump of any x509 certificate.

Switch parameter

Default value

<certificate_to_print>

drwcsd-certificate.pem