Difference between revisions of "Creating self-signed CA certificates and keys using OpenSSL"
From Wiki Knowledge Base | Teltonika GPS
| Line 1: | Line 1: | ||
| − | |||
| − | |||
| − | |||
==Instructions== | ==Instructions== | ||
To create CA certificates and keys please follow the steps below. | To create CA certificates and keys please follow the steps below. | ||
| Line 16: | Line 13: | ||
| − | 3. Start the OpenSSL Software. Search the '''OpenSSL''' from the Windows starts button. | + | 3. Start the OpenSSL Software. Search the '''OpenSSL''' from the Windows starts button.[[File:OPENSSL.png|thumb|364x364px|alt=|none]] |
| − | [[File: | ||
<br /> | <br /> | ||
| − | + | 4. OpenSSL Command Prompt will open it includes the software built, directory, and other information.[[File:OPENSSLDirectory.png|thumb|490x490px|alt=|none]] | |
| − | |||
| − | |||
| − | 4. OpenSSL Command Prompt will open it includes the software built, directory, and other information. | ||
| − | [[File:OPENSSLDirectory.png| | ||
<br /> | <br /> | ||
| − | + | 5. Generating CA key pair. [[File:GenerationCAkeypair.png|thumb|490x490px|alt=|none]] | |
| − | 5. Generating CA key pair. | ||
| − | [[File:GenerationCAkeypair.png| | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
'''Command: <span style="background:#3BC6F7">openssl genrsa -des3 -out ca.key 2048''' | '''Command: <span style="background:#3BC6F7">openssl genrsa -des3 -out ca.key 2048''' | ||
'''Note:''' You can create a password for the CA Key Pair | '''Note:''' You can create a password for the CA Key Pair | ||
| Line 43: | Line 27: | ||
6. Generating certificate for the CA using the CA key pair we created. | 6. Generating certificate for the CA using the CA key pair we created. | ||
| − | [[File:Command6.png|thumb|490x490px|none | + | [[File:Command6.png|alt=|thumb|490x490px|none]] |
'''Command: <span style="background:#3BC6F7">openssl req -new -x509 -days 1826 -key ca.key -out ca.crt''' | '''Command: <span style="background:#3BC6F7">openssl req -new -x509 -days 1826 -key ca.key -out ca.crt''' | ||
'''Note:''' CA Certificate is valid for 1826 days or 5 years you can change this according to your requirement. It will ask you to enter the passphrase you created for the CA key. | '''Note:''' CA Certificate is valid for 1826 days or 5 years you can change this according to your requirement. It will ask you to enter the passphrase you created for the CA key. | ||
| Line 49: | Line 33: | ||
7. Generating a server key pair that will be used by the broker (server) | 7. Generating a server key pair that will be used by the broker (server) | ||
| − | [[File:Command7.png|thumb|490x490px|none | + | [[File:Command7.png|alt=|thumb|490x490px|none]] |
'''Command: <span style="background:#3BC6F7">openssl genrsa -out server.key 2048''' | '''Command: <span style="background:#3BC6F7">openssl genrsa -out server.key 2048''' | ||
<br /> | <br /> | ||
8. Generating a certificate request. | 8. Generating a certificate request. | ||
| − | [[File:Command8.png|thumb|490x490px|none | + | [[File:Command8.png|alt=|thumb|490x490px|none]] |
'''Command: <span style="background:#3BC6F7">openssl req -new -out server.csr -key server.key''' | '''Command: <span style="background:#3BC6F7">openssl req -new -out server.csr -key server.key''' | ||
'''Note:''' When you fill out the certificate request the common name is the most critical usually it is the domain name of your broker (server). You can use a full domain name or the IP address of your server. We will not send this information to CA because it is a self-signed certificate, we are the CA. | '''Note:''' When you fill out the certificate request the common name is the most critical usually it is the domain name of your broker (server). You can use a full domain name or the IP address of your server. We will not send this information to CA because it is a self-signed certificate, we are the CA. | ||
| Line 60: | Line 44: | ||
9. Generating server.crt file. | 9. Generating server.crt file. | ||
| − | [[File:Command9.png|thumb|490x490px|none | + | [[File:Command9.png|alt=|thumb|490x490px|none]] |
'''Command: <span style="background:#3BC6F7">openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt. -days 360''' | '''Command: <span style="background:#3BC6F7">openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt. -days 360''' | ||
'''Note''': We will use the CA key to verify and sign the certificate. | '''Note''': We will use the CA key to verify and sign the certificate. | ||
| Line 66: | Line 50: | ||
10. If all the steps are completed correctly you can check these 3 files from the directory ca.crt, server.crt, and server.key. | 10. If all the steps are completed correctly you can check these 3 files from the directory ca.crt, server.crt, and server.key. | ||
| − | [[File:Command10.png|thumb|490x490px|none | + | [[File:Command10.png|alt=|thumb|490x490px|none]] |
'''Command: <span style="background:#3BC6F7">dir''' | '''Command: <span style="background:#3BC6F7">dir''' | ||
'''Note:''' To check the files go to this directory C:\Users\<username>. | '''Note:''' To check the files go to this directory C:\Users\<username>. | ||
<br /> | <br /> | ||
Revision as of 15:33, 8 October 2023
TLS/DTLS implementation for Flespi using OpenSSL > Creating self-signed CA certificates and keys using OpenSSLInstructions
To create CA certificates and keys please follow the steps below.
1. Before creating the Certificate and Keys you need to specify the detailed information of your server domain, in our case, we will your flespi server details which will be available in the third step of this guide.
2. When creating keys, you shouldn’t use encryption (-ds3 switch) for the server certificate because this creates a password-protected key that the broker or server can’t decode.
3. Start the OpenSSL Software. Search the OpenSSL from the Windows starts button.
4. OpenSSL Command Prompt will open it includes the software built, directory, and other information.
5. Generating CA key pair.
Command: openssl genrsa -des3 -out ca.key 2048
Note: You can create a password for the CA Key Pair
6. Generating certificate for the CA using the CA key pair we created.
Command: openssl req -new -x509 -days 1826 -key ca.key -out ca.crt
Note: CA Certificate is valid for 1826 days or 5 years you can change this according to your requirement. It will ask you to enter the passphrase you created for the CA key.
7. Generating a server key pair that will be used by the broker (server)
Command: openssl genrsa -out server.key 2048
8. Generating a certificate request.
Command: openssl req -new -out server.csr -key server.key
Note: When you fill out the certificate request the common name is the most critical usually it is the domain name of your broker (server). You can use a full domain name or the IP address of your server. We will not send this information to CA because it is a self-signed certificate, we are the CA.
9. Generating server.crt file.
Command: openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt. -days 360
Note: We will use the CA key to verify and sign the certificate.
10. If all the steps are completed correctly you can check these 3 files from the directory ca.crt, server.crt, and server.key.
Command: dir
Note: To check the files go to this directory C:\Users\<username>.
