Generating a self-signed TLS certificate

Third-party CA-signed certificates can be used to install HCL Local License Server (LLS) on your host machine.However, you can also use the LLS package utility to generate a self-signed TLS certificate.

About this task

The LLS installer supports trusted third-party CA certificates and self-signed certificates.
Important:
  • It is recommended that you use a trusted third-party TLS certificate when deploying in production environments.
  • Your usage model and risk tolerance should be considered before selecting a self-signed certificate.
  • The use of a self-signed certificate comes with no warranties or liabilities.

The self-signed TLS certificate can now be generated using the built-in tlsutil utility program available in the LLS package. This replaces the earlier method where OpenSSL had to be manually installed and configured.

If your organization prefers using a certificate signed by a trusted Certificate Authority (CA), you can continue to use it instead of the self-signed one.

Note:
  • Ensure that the hostname (FQDN) in the certificate matches the LLS server hostname.

  • If using the tlsutil tool, follow the on-screen prompts to automatically generate the key and certificate files.

  • Keep a backup of all certificate and key files in a secure location.

Procedure

  1. Extract the installer package:
    • On Windows, use a zip program such as WinZip or 7-Zip.
    • On Linux, enter the following command:
      tar -xvzf packageName
  2. Go to the directory where the utility program is located.
    OS File Name Location
    Windows utility.bat <unzipped-installer-files>\hcl-lls-5.3-windows\utility.bat
    Linux utility.sh <unzipped-installer-files>/hcl-lls-5.3-linux/utility.sh

    The TLS certificate generation process in LLS 5.3 uses two separate files:

    • utility.bat (Windows) or utility.sh (Linux) — the launcher script
    • tlsutil.exe — the executable that performs the certificate creation
    Note:

    Run utility.bat on Windows or utility.sh on Linux. The script internally invokes tlsutil.exe to generate the self-signed TLS certificate.

  3. Run the utility and follow the prompts:
    Please choose what you want to do:
    1. Generate TLS Certificate
    2. Quit
  4. Press 1 to generate a self-signed TLS certificate.
  5. Enter FQDN (Fully Qualified Domain Name) (e.g., MYLLSSERVER.COM) :

    Example: MYLLSSERVER.COM

    A Fully Qualified Domain Name (FQDN) is the complete address of a resource on the network (hostname + domain + sub-domain). You can obtain the FQDN as follows:

    On Windows:

    powershell "(Get-WmiObject win32_computersystem).Name + '.' + (Get-WmiObject win32_computersystem).Domain"

    On Linux:

    hostname -f
  6. Enter your organization name. Example: HCL
  7. Enter certificate validity period (in days). The default value is 365.
  8. Enter the directory to store certificates: Specify a path where you want the generated certificate and key files to be stored The following example message indicates a successful generation:
    Generating certificate files using tlsutil…
    Self-signed certificate generated successfully
    Certificate and key files are located in: C:\MHS\LLS\Certificate
    
    TLS certificate generation completed.
    Do you want to generate something else?
    1. Generate TLS Certificate
    2. Quit
    Enter your choice (1-2)
  9. Press 2 to quit the process.

Results

The self-signed certificate is generated and saved at the provided location.

The generated certificate and key files are automatically validated against the configured FQDN to ensure compatibility during LLS installation and client communication.

You can now proceed to install HCL Local License Server using the generated certificate.