Contents of Demo CA

Starting with the 9.0 product release, the optional Demo CA component contains the following script files, with the .cmd file extension on Windows:

CreateDemoCA
Generates the root and intermediate CA certificates and their private keys, and the default set of client and server certificates and keys.
CreateNewUserCerts
Generates a new set of client and server certificates.
RevokeCertificate
Revokes a client or server certificate generated by Demo CA.

These utility scripts are executed by the main scripts listed above, and typically should not be run directly by the user:

Demo CA also contains a file named 00Readme.txt which describes the scripts and how to use them, and some additional files used by the scripts.

See the topics listed below for more information on each of the main scripts.

After running CreateDemoCA, the Demo CA instance directory, which is specified to the script as a command-line parameter, will contain the following:

CA
Directory containing the files for the new root CA. Note the root CA is only used to issue certificates for the intermediate CA, and provide the root certificate for certificates issued by the intermediate.
intermediate
Directory containing the files for the new intermediate CA. The intermediate CA is used to issue all entity (client and server) certificates.
entities
A directory containing copies of all the certificates generated by Demo CA, and the private keys for entity certificates, for convenience when locating certificate files.
EC_openssl.conf ECintCA.conf
Configuration files used when generating certificates and related materials.

The EC prefix on many of the files indicates the use of Elliptic Curve Cryptography (ECC), which Micro Focus recommends for better security and performance. Within the CA and intermediate directories are various directories and files which implement the CAs.

Migrating from earlier releases

The new scripts listed above replace the scripts from earlier versions of Demo CA, such as reinstall_demoCA.

The file CARootCerts.pem, which contains trusted root and intermediate certificates from commercial CAs, is now part of the base product, not Demo CA.

The file CARootCert.pem (without the "s"), which in previous releases contained the root CA certificate for Demo CA, has been replaced with EC_CAcollection.pem and EC_CAcollection.p7b, which have the same contents in different formats, and can be found in the entities/CAs directory.

Note: There are now two CA certificates, a root and an intermediate, following current best practices for CAs.

If you wish to use Demo CA with enterprise server instances or server components such as ESCWA and MFDS, be sure to use the complete paths to your Demo CA certificate and key files when configuring TLS, since Demo CA no longer has a default installation directory. Similarly, if you wish to use Demo CA with client programs such as Enterprise Server utilities or COBOL Web service clients, edit the mf-client.dat file in the product installation location and set the values indicated in the file using full paths.