The NetBurner SSL library provides some open source tools for the generation and maintenance of SSL self-signed keys and certificates. These tools are based on OpenSSL and subject to OpenSSL License. The NetBurner SSL library code subject to the standard NetBurner License (located by default in ).
openssl.exe
: Creates certificates and keyscompfile
: Creates .cpp
files from certificates and keysThere is a readme.txt file in \nburn\CreateCerts that
provides information on .bat
and .sh
files used to make the creation process easier. Please refer to the script files if you want more information on the OpenSSL options used to create the certificates and keys. Certificates should use the PEM format.
This step creates a CA you can use to sign certificates. Important: You should only have to do this step once. The key file created in this step should be protected as the security of all your certificates depend on it. You have two choices to protect this key file. Note: If you want the key to not be protected by a pass phrase then leave the -des
off the genrsa
command.
\nburn\CreateCerts
.makeca
to create CA.crt
and CA.key
, which will be used by other script files to sign server and client certificates and keys.You will need to create a certificate and key for each device you deploy, and the Common Name in the certificate must match each of your device's name. For example, if I have 2 devices and am using DNS, then I could name them Device1 and Device2, and the certificate would need the CN to match. If I did not have DNS, I could use their IP addresses as the CN. However, if their IP address changes, the certificate would no longer be valid because the CN would not match.
\nburn\CreateCerts
.device.crt
and device.key
. The script will also invoke compfile
to create cert.cpp
and key.cpp
in case you desire to use a compiled-in cert and key.compfile
The compfile
utility converts .crt
and .key
files to C++ source code files that can be built into your application (note this implies that each device needs it's own application image). It is already part of in the batch and shell files mentioned previously. This section is included in the event you wish to run it separately against your .crt
and .key
files.
\nburn\CreateCerts
.compfile device.key comp_key comp_key_len key.cpp
compfile device.crt comp_cert comp_cert_len cert.cpp
Note that comp_key
, comp_key_len
, comp_cert
, and comp_cert_len
all refer to global variables available in the application that represent the key data, the length of the key data, the cert data, and the length of the cert data respectively.
Take the key.cpp
and cert.cpp
files previously created and import it into your project directory. If you are using command line tools, copy it to your project directory and add it to your makefile.
If you are going to have your certificates signed by an external entity, they will need a Certificate Request file. Note: The common name you enter in this step must match the deployed DNS name or IP Address of the Server it will be used on.
openssl genrsa -out Server.key 1024
openssl req -new –key Server.key –out Server.csr
Server.csr
to the CA that will create your certificate.Warning: If you lose the Server.key
file associated with this particular device, then you will not be able to use the certificate file they send back.
The batch and shell files checkcert
and checkkey
can be found in \nburn\CreateCerts
. For example: checkcert device.crt
checkkey device.key