NetBurner 3.1
Creating Self Signed Certificates

Introduction

The NetBurner SSL library provides some open source tools for the generation and maintenance of SSL self-signed keys and certificates. These tools are based on OpenSSL and subject to OpenSSL License. The NetBurner SSL library code subject to the standard NetBurner License (located by default in ).

  • openssl.exe: Creates certificates and keys
  • compfile: Creates .cpp files from certificates and keys

There is a readme.txt file in \nburn\CreateCerts that provides information on .bat and .sh files used to make the creation process easier. Please refer to the script files if you want more information on the OpenSSL options used to create the certificates and keys. Certificates should use the PEM format.

Creating a Certificate Authority (CA) Certificate and Key

This step creates a CA you can use to sign certificates. Important: You should only have to do this step once. The key file created in this step should be protected as the security of all your certificates depend on it. You have two choices to protect this key file. Note: If you want the key to not be protected by a pass phrase then leave the -des off the genrsa command.

  • Open a command prompt in \nburn\CreateCerts.
  • Run makeca to create CA.crt and CA.key, which will be used by other script files to sign server and client certificates and keys.
  • You will be prompted to answer some questions. If you require more detailed information please refer to the OpenSSL web site and documentation.

Creating a Server Certificate and Key for Your Device

You will need to create a certificate and key for each device you deploy, and the Common Name in the certificate must match each of your device's name. For example, if I have 2 devices and am using DNS, then I could name them Device1 and Device2, and the certificate would need the CN to match. If I did not have DNS, I could use their IP addresses as the CN. However, if their IP address changes, the certificate would no longer be valid because the CN would not match.

  • Open a command prompt in \nburn\CreateCerts.
  • Run 'makeserver' to create device.crt and device.key. The script will also invoke compfile to create cert.cpp and key.cpp in case you desire to use a compiled-in cert and key.
  • This certificate will be signed with the CA certificate created previously.

Converting a Certificate and Key to Code with compfile

The compfile utility converts .crt and .key files to C++ source code files that can be built into your application (note this implies that each device needs it's own application image). It is already part of in the batch and shell files mentioned previously. This section is included in the event you wish to run it separately against your .crt and .key files.

  • Open a command prompt in \nburn\CreateCerts.
  • Execute the commands: compfile device.key comp_key comp_key_len key.cpp compfile device.crt comp_cert comp_cert_len cert.cpp

Note that comp_key, comp_key_len, comp_cert, and comp_cert_len all refer to global variables available in the application that represent the key data, the length of the key data, the cert data, and the length of the cert data respectively.

Adding the Module to your Code Set

Take the key.cpp and cert.cpp files previously created and import it into your project directory. If you are using command line tools, copy it to your project directory and add it to your makefile.

Using a Recognized Certificate Authority

If you are going to have your certificates signed by an external entity, they will need a Certificate Request file. Note: The common name you enter in this step must match the deployed DNS name or IP Address of the Server it will be used on.

  • Open a command prompt/DOS window
  • Navigate to the directory that you want to house your device files
  • To make a Device Certificate Request file, execute the command (and press the Enter key when finished): openssl genrsa -out Server.key 1024 openssl req -new –key Server.key –out Server.csr
  • Send this Server.csr to the CA that will create your certificate.

Warning: If you lose the Server.key file associated with this particular device, then you will not be able to use the certificate file they send back.

Testing Your Certificates

The batch and shell files checkcert and checkkey can be found in \nburn\CreateCerts. For example: checkcert device.crt checkkey device.key