User Tools

Site Tools


adm:creating_self_signed_certificates

Creating Self-Signed Certificates

Many of the components in the Zibawa stack require certificates to enable them to communicate securely. The certificate has two purposes, encryption, and trust. When you are creating devices, it is often more convenient to use self signed certificates, because you can manage the entire authorization process.

Install gnutls

sudo apt-get install gnutls-bin ssl-cert

Create directory:

mkdir myCA
cd myCA

Create a key

(at least 2048 bit key)

openssl genrsa -out rootCA.key 2048


Create self signed root CA certificate

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

You will be requested details to put on the certificate. Exactly what you put here is not important for our purposes but it makes sense to put some reasonable values.

Country Name (2 letter code) [AU]:ES State or Province Name (full name) [Some-State]:Barcelona Locality Name (eg, city) []:Barcelona Organization Name (eg, company) [Internet Widgits Pty Ltd]:Zibawa Organizational Unit Name (eg, section) []:IT Common Name (eg, YOUR name) []:smart-factory Email Address []:me@email.com

Create Client or Device certificate

First we create key like before

openssl genrsa -out device.key 2048

Now we create a signing request

openssl req -new -key device.key -out device.csr

You will again be requested details for the certificate. The important one is the CN value which must coincide with the way your device is accessed over the network. If you are using IP addresses, then use the IP address as follows. If you are accessing over the internet, then use your fqdn fully qualified domain name.

Common Name (eg, YOUR name) []: 192.168.1.12

Now we use the signing request, root certificate and ky to create the final certificate.

openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -sha256

The files we have now are:

rootCA.pemthe certificate authority certificate (public)
rootCA.keycertificate authority key (private)
client.pem
client.keyclient key (private)

Add certificate to trust store

If we need an application (such as a web browser, rabbitMQ etc) to trust our client, then the application will need to be told to trust any certificate signed by the rootCA. In practise this is achieved by providing the application with the path to the rootCA.pem certificate, or via a computer's trusted certificates store. In firefox, you can import the certificate using preferences>advanced>view certificates>import certificate. In windows, for example you can import the rootCA to the trusted certificates store using the certificate manager application.

Change Permissions to give your applications access to certificates and keys

Change ownership of files to root:ssl-cert

sudo chown -R root:ssl-cert /etc/ssl

Add the following users to group ssl-cert

sudo usermod -a -G ssl-cert grafana
sudo usermod -a -G ssl-cert rabbitmq
sudo usermod -a -G ssl-cert openldap
sudo usermod -a -G ssl-cert zibawa
sudo usermod -a -G ssl-cert influxdb
sudo usermod -a -G ssl-cert postgres

If necessary, you may need to change permissions of individual certificates to ensure they are as we need:

sudo chmod 640 /path/to/file

Do not be tempted to modify all permissions in ssl to 750, since some applications (such as postgres) will not start.

Now you are ready to configure SSL

More information about SSL

adm/creating_self_signed_certificates.txt · Last modified: 2017/06/15 10:13 by matt