Lantronix 900-598 Obtaining Certificates , Self-Signed Certificates , Certificate Formats , OpenSSL

14: Security in Detail

PremierWave XC User Guide 96

the exception of the root CA. This way, trust is transferred along the chain, from the root CA

through any number of intermediate authorities, ultimately to the agent t hat needs to prove its

authenticity.

Obtaining Certificates

Signed certificates are typically obtained from well-known CAs, such as VeriSign. This is done by

submitting a certificate request for a CA, typically for a fee. The CA will sign the certificat e

request, producing a certificate/key combo: the certificate contains the id entity of the owner and

the public key, and the private key is available separately for use by the owner.

As an alternative to acquiring a signed certificate from a CA, you can act as your own CA and

create self-signed certificates. This is often done for testing scenarios, and som etimes for closed

environments where the expense of a CA-signed root certificate is not nec essary.

Self-Signed Certificates

A few utilities exist to generate self-signed certificates or sign certificate requests. T he

PremierWave XC also has the ability to generate its own self-signed certificate/ke y combo. You

can use XML to export the certificate in PEM format, but you cannot export the key. Hence the

internal certificate generator can only be used for certificates to identif y that particular

PremierWave XC.

Certificate Formats

Certificates and private keys can be stored in several file formats. Best k nown are PKCS12, DER

and PEM. Certificate and key can be in the same file or in separate files. Additionally, the key can

be either be encrypted with a password or left in the clear. However, the PremierWave XC

currently only accepts separate PEM files, with the key unencrypted.

Several utilities exist to convert between the formats.

OpenSSL

OpenSSL is a widely used open source set of SSL related command line utilities. It can act as

server or client. It can also generate or sign certificate requests, and ca n convert from and to

several different of formats.

OpenSSL is available in binary form for Linux and Windows.

To generate a self-signed RSA certificate/key combo:

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mp_key.pem

-out mp_cert.pem

See www.openssl.org or www.madboa.com/geek/openssl for more information.

Note: Signing other certificate requests is also possible with OpenSSL but the details of

this process are outside the scope of this document.