KNOWLEDGE BASE
Log In    |    Knowledge Base    |    4D Home
Tech Tip: 2048 Bit SSL CSR and Keypairs Can Now Be Generated From Within 4D
PRODUCT: 4D | VERSION: 11.6 | PLATFORM: Mac & Win
Published On: March 15, 2010

As of 4D v11 SQL Release 6, it is now possible to specify a key length of 2048 as third parameter to GENERATE ENCRYPTION KEYPAIR.

The following Code snippet could be used to generate a 2048 key pair, followed by a 2048 Certifcate Signing Request (CSR)


  ` generate new Key Pair
C_BLOB(privKey;pubKey)
GENERATE ENCRYPTION KEYPAIR (privKey;pubKey;2048)


  ` Setup Certificate Signing Request information
ARRAY LONGINT(SSLcodeArray;6)
ARRAY STRING(80;SSLinfoArray;6)

  ` Common Name
SSLcodeArray{1}:=13
SSLinfoArray{1}:="www.mydomain.com"

  ` Country Name (2 Letters)
SSLcodeArray{2}:=14
SSLinfoArray{2}:="US"

  ` Locality Name
SSLcodeArray{3}:=15
SSLinfoArray{3}:="San Jose"

  ` State or Province Name
SSLcodeArray{4}:=16
SSLinfoArray{4}:="California"

  ` Organization Name
SSLcodeArray{5}:=17
SSLinfoArray{5}:="My Company"

  ` Organization Unit
SSLcodeArray{6}:=18
SSLinfoArray{6}:="My Department or Title"

  ` generate CSR
C_BLOB(CSR)
GENERATE CERTIFICATE REQUEST(privKey;CSR;SSLcodeArray;SSLinfoArray)

  ` save CSR to file
BLOB TO DOCUMENT("csr.txt";CSR)

  ` save private key to file
BLOB TO DOCUMENT("key.pem";privKey)

  ` save public key to file
BLOB TO DOCUMENT("publickey.pem";pubKey)


The code snippet above will create a 2048 bit Private and Public Encryption Keypair and Certificate Signing Request (CSR). If the above code is run in single-user mode the files will be placed next to the structure.

The Certificate Signing Request (CSR) can then be used to create an SSL Certificate by either taking it to your favorite Certificate Authority (such as qualityssl.com or verisign.com) and have them sign, or you can go self-signed using a program like OpenSSL.

If going self-signed, you can use the following command with OpenSSL:

openssl x509 -req -days 365 -in csr.txt -signkey key.pem -out cert.pem


The above command snippet will use OpenSSL (must be installed seperately) to create a self signed certificate with an expiration date 1 year in the future.

On the other hand the following command snippet will use OpenSSL to create a self signed certificate with an expiration of 15 years in the future.

openssl x509 -req -days 5475 -in csr.txt -signkey key.pem -out cert.pem


The private key (key.pem) and the certificate (cert.pem) are used together to allow SSL communication.

See Also: