View source for Creating self-signed CA certificates and keys using OpenSSL

[[Category: TLS/DTLS implementation for Flespi using OpenSSL]]  

==Instructions==
To create CA certificates and keys please follow the steps below.



1. Before creating the Certificate and Keys you need to specify the detailed information of your server domain, in our case, we will need your flespi server details which will be available in the third step of this guide.
<br />



2. When creating keys, you shouldn’t use encryption '''(-ds3 switch)''' for the server certificate because this creates a password-protected key that the broker or server can’t decode.
<br />


3. Start the OpenSSL Software. Search the '''OpenSSL''' from the Windows starts button.[[File:OPENSSL.png|thumb|364x364px|alt=|none]]
<br />


4. OpenSSL Command Prompt will open it includes the software built, directory, and other information.[[File:OPENSSLDirectory.png|thumb|490x490px|alt=|none]]
<br />


5. Generating CA key pair. [[File:GenerationCAkeypair.png|thumb|490x490px|alt=|none]]  
 '''Command: <span style="background:#3BC6F7">openssl genrsa -des3 -out ca.key 2048'''
 '''Note:''' You can create a password for the CA Key Pair
<br />

6. Generating certificate for the CA using the CA key pair we created. 
[[File:Command6.png|alt=|thumb|490x490px|none]]
 '''Command:  <span style="background:#3BC6F7">openssl req -new -x509 -days 1826 -key ca.key -out ca.crt'''
 '''Note:''' CA Certificate is valid for 1826 days or 5 years you can change this according to your requirement. It will ask you to enter the passphrase you created for the CA key.
<br />

7. Generating a server key pair that will be used by the broker (server)
 [[File:Command7.png|alt=|thumb|490x490px|none]]
 '''Command: <span style="background:#3BC6F7">openssl genrsa -out server.key 2048'''
<br />

8. Generating a certificate request.
[[File:Command8.png|alt=|thumb|490x490px|none]]
 '''Command: <span style="background:#3BC6F7">openssl req -new -out server.csr -key server.key'''
 '''Note:''' When you fill out the certificate request the common name is the most critical usually it is the domain name of your broker (server). You can use a full domain name or the IP address of your server. We will not send this information to CA because it is a self-signed certificate, we are the CA. 
<br />

9. Generating server.crt file.
[[File:Command9.png|alt=|thumb|490x490px|none]]
 '''Command: <span style="background:#3BC6F7">openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt. -days 360'''
 '''Note''': We will use the CA key to verify and sign the certificate.
<br />

10. If all the steps are completed correctly you can check these 3 files from the directory ca.crt, server.crt, and server.key.
[[File:Command10.png|alt=|thumb|490x490px|none]]
 '''Command: <span style="background:#3BC6F7">dir''' 
 '''Note:''' To check the files go to this directory C:\Users\<username>.
<br />