106
Public Space Parameters
Creating SSL Keys
You need to download three keys to the AP-2500 before enabling SSL. You must create two of these keys yourself: a
Private Key file (cakey.pem) and a Public Key file (server.pem). Proxim provides the third key (cacert.pem), on the
AP’s CD in the SSL_KEY folder (it is also included with software updates posted on Proxim’s Web site).
To c reate cakey.pem and server.pem, you must contact a Certification Authority (CA). Many companies offer
certification services. Each CA has its own set of qualification requirements that a company must meet before the CA
will grant an SSL certificate. Proxim recommends that you use a well-known CA, such as Verisign
(http://www.verisign.com/). Refer to Verisign’s Web site for more information on SSL and obtaining an SSL certificate.
NOTE
As of the release of this document, Verisign provides free trial SSL certificates for testing purposes. See
Verisign’s Web site for details.
The following steps provides an overview of how to create cakey.pem and server.pem:
1. Download and install Cygwin from the Internet. It is available as a free download at several Web sites including
http://www.cygwin.com/.
• Cygwin is a UNIX environment for Windows. It operates on computers running Windows 95 and later (except
Windows CE).
• Download and execute the Cygwin Setup.exe file. Follow the on-screen instructions to install the software.
• When prompted to select packages to install, select cygwin and openssl only. You do not need to install any
other packages (in other words, you can skip them).
• You will use the openssl program to generate keys.
2. Locate or generate five large random files and rename them a.dat, b.dat, c.dat, d.dat, and e.dat.
• These files are used to seed the random number generator.
• These files can be any file type (such as Word, Excel, etc.) but you should change the file names to “*.dat” as
described above (a.dat through e.dat). Verisign recommends using large compressed log files.
• The files can have any name but must follow standard DOS naming conventions (that is, a file name with a
maximum of eight characters, a period, and a three-character extension).
3. Copy or move these five dat files to the directory where openssl.exe is installed (typically c:\cygwin\bin\).
4. Open an MS-DOS command prompt.
5. Use the cd command to open the directory that contains openssl.exe and the five random files.
• If the files are installed at c:\cygwin\bin\, the command prompt should read:
C:\CYGWIN\BIN>
6. Type the following command and press Enter to generate a private key with the name cakey.pem:
openssl genrsa -rand file1:file2:file3:file4:file5 1024 > cakey.pem
—genrsa is the OpenSSL command to generate a private key.
—-rand is followed by the name of the five random files (include file name extensions and separate files
by colons); this argument specifies the names of the files containing random data for the random
number generator.
—1024 is the size of the private key to generate in bits.
—> cakey.pem specifies the name of the output files.
— Due to buffer size limitations, the line length should not exceed 80 characters.
— Do not encrypt the key with any encryption options (such as -des, -des3, or -idea).
—See http://www.openssl.org/ for more information on this command.
7. Type the following command and press Enter to generate a Certificate Signing Request (CSR):
openssl req -new -key cakey.pem > server.csr
—req is the OpenSSL command to generate a certificate request.
— -new specifies that this command will generate a new certificate request.
— -key cakey.pem specifies the file that contains the private key you generated in the previous step.
—> server.csr specifies the name of the output files.
—See http://www.openssl.org/ for more information on this command.