H7.1. Digital keys and certificates generation utility

The following console versions of the digital keys and certificates generation utility are provided:

Executable file

Location

Description

drweb-sign-<OS>-<bitness>

Control Center, the Administration → Utilities section

Independent version of the utility. Can be launched from any directory or on any computer with corresponding operating system.

The webmin/utilities Dr.Web Server directory

drwsign

The bin Dr.Web Server directory

Utility version depends on server libraries. Can be launched only from its location directory.

info

The drweb-sign-<OS>-<bitness> and drwsign utility versions are similar in their functions. Further in the section, the drwsign version is used, but all examples are relevant for both versions.

The start instruction format

drwsign check [-public-key=<public_key>] <file>

Check the specified file signature using a public key of the person who signed this file.

Switch parameter

Default value

<public_key>

drwcsd.pub

drwsign extract [‑private‑key=<private_key>] [‑cert=<Dr.Web_Server_certificate>] <public_key>

Extract the public key from the private key file or from the certificate and write the public key to the specified file.

The -private-key and -cert switches are mutually exclusive, i.e. only one switch can be set; if both switches are set at the same time, the command fails to execute.

The switch parameters must be specified.

If none of the switches is set, -private-key=drwcsd.pri is used to extract the public key of the drwcsd.pri private key.

Switch parameter

Default value

<private_key>

drwcsd.pri

drwsign genkey [<private_key> [<public_key>]]

Generate a public—private pair of keys and write them to the corresponding files.

Switch parameter

Default value

<private_key>

drwcsd.pri

<public_key>

drwcsd.pub

warning

The utility version for Windows platforms (in contrast to UNIX versions) does not protect private keys from copying.

drwsign gencert [‑private‑key=<private_key>] [‑subj=<subject_fields>] [‑days=<validity_period>] [<self_signed_certificate>]

Generate a self-signed certificate using the Dr.Web Server private key and write it to the corresponding file.

Switch parameter

Default value

<private_key>

drwcsd.pri

<subject_fields>

/CN=<hostname>

<validity_period>

3560

<self_signed_certificate>

drwcsd-certificate.pem

drwsign gencsr [‑private‑key=<private_key>] [‑subj=<subject_fields>] [<certificate_sign_request>]

Generate a request for the certificate signature based on the private key and write this request to the corresponding file.

Can be used to sign the certificate of another server, e.g. to sign a Dr.Web Proxy Server certificate with the Dr.Web Server key.

To sign such requests, use the signcsr switch.

Switch parameter

Default value

<private_key>

drwcsd.pri

<subject_fields>

/CN=<hostname>

<certificate_sign_request>

drwcsd-certificate-sign-request.pem

drwsign genselfsign [‑show] [‑subj=<subject_fields>] [‑days=<validity_period>] [<private_key> [<self_signed_certificate>]]

Generate a self-signed RSA certificate and an RSA private key for a web server and write them to the corresponding files.

The -show switch prints certificate content in a readable view.

Switch parameter

Default value

<subject_fields>

/CN=<hostname>

<validity_period>

3560

<private_key>

private-key.pem

<self_signed_certificate>

certificate.pem

drwsign hash-check [‑public‑key=<public_key>] <hash_file> <signature_file>

Check the signature of the specified 256-bit number in the client-server protocol format.

In the <hash_file> parameter, the file with the 256-bit number to sign is specified. The <signature_file> file is the signature result (two 256-bit numbers).

Switch parameter

Default value

<public_key>

drwcsd.pub

drwsign hash-sign [‑private‑key=<private_key>] <hash_file> <signature_file>

Sign the specified 256-bit number in the client-server protocol format.

In the <hash_file> parameter, the file with the 256-bit number to sign is specified. The <signature_file> file is the signature result (two 256-bit numbers).

Switch parameter

Default value

<private_key>

drwcsd.pri

drwsign help [<command>]

Print brief information on the program or on the specific command in the command line format.

drwsign sign [-private-key=<private_key>] <file>

Sign <file> using the private key.

Switch parameter

Default value

<private_key>

drwcsd.pri

drwsign signcert [‑ca‑key=<private_key>] [‑ca‑cert=<Dr.Web_Server_certificate>] [‑cert=<certificate_to_sign>] [‑days=<validity_period>] [‑eku=<purpose>] [<signed_certificate>]

Sign the existing <certificate_to_sign> using the private key and the certificate of Dr.Web Server. The signed certificate is saved into a separate file.

Can be used to sign the Dr.Web Proxy Server certificate with the Dr.Web Server key.

The following values of the -eku switch (Extended Key Usage extension) can be used:

drwebServerAuth—authentication of the Server/Proxy server by the Agent,

drwebMeshDAuth—authentication of the Scanning server by the Virtual agent.

Switch parameter

Default value

<private_key>

drwcsd.pri

<Dr.Web_Server_certificate>

drwcsd-ca-cerificate.pem

<certificate_to_sign>

drwcsd-certificate.pem

<validity_period>

3560

<purpose>

drwebServerAuth

<signed_certificate>

drwcsd-signed-certificate.pem

drwsign signcsr [‑ca‑key=<private_key>] [‑ca‑cert=<Dr.Web_Server_certificate>] [‑csr=<certificate_sign_request>] [‑days=<validity_period>] [‑eku=<purpose>] [<signed_certificate>]

Sign <certificate_sign_request> generated by the gencsr command using the private key and the Dr.Web Server certificate. The signed certificate is saved into a separate file.

Can be used to sign the certificate of another server, e.g. to sign a Dr.Web Proxy Server certificate with the Dr.Web Server key.

The following values of the -eku switch (Extended Key Usage extension) can be used:

drwebServerAuth—authentication of the Server/Proxy server by the Agent,

drwebMeshDAuth—authentication of the Scanning server by the Virtual agent.

Switch parameter

Default value

<private_key>

drwcsd.pri

<Dr.Web_Server_certificate>

drwcsd-cerificate.pem

<certificate_sign_request>

drwcsd-certificate-sign-request.pem

<validity_period>

3560

<purpose>

drwebServerAuth

<signed_certificate>

drwcsd-signed-certificate.pem

drwsign tlsticketkey [<TLS_ticket>]

Generate a TLS ticket.

Can be used in a Server cluster for shared TLS sessions.

Switch parameter

Default value

<TLS_ticket>

tickets-key.bin

drwsign verify [‑ss‑cert] [‑CAfile=<Dr.Web_Server_certificate>] [<certificate_to_check>]

Check the validity of the certificate with the trusted certificate of the Server.

The -ss-cert switch prescribes to ignore the trusted certificate and validate the self-signed certificate only.

Switch parameter

Default value

<Dr.Web_Server_certificate>

drwcsd-certificate.pem

<certificate_to_check>

drwcsd-signed-certificate.pem

drwsign x509dump [<certificate_to_print>]

Print the dump of any x509 certificate.

Switch parameter

Default value

<certificate_to_print>

drwcsd-certificate.pem

drwsign version

Show the utility version.