Many of the components in the Zibawa stack require certificates to enable them to communicate securely. The certificate has two purposes, encryption, and trust. When you are creating devices, it is often more convenient to use self signed certificates, because you can manage the entire authorization process.
sudo apt-get install gnutls-bin ssl-cert
mkdir myCA cd myCA
(at least 2048 bit key)
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
You will be requested details to put on the certificate. Exactly what you put here is not important for our purposes but it makes sense to put some reasonable values.
Country Name (2 letter code) [AU]:ES State or Province Name (full name) [Some-State]:Barcelona Locality Name (eg, city) :Barcelona Organization Name (eg, company) [Internet Widgits Pty Ltd]:Zibawa Organizational Unit Name (eg, section) :IT Common Name (eg, YOUR name) :smart-factory Email Address :firstname.lastname@example.org
First we create key like before
openssl genrsa -out device.key 2048
Now we create a signing request
openssl req -new -key device.key -out device.csr
You will again be requested details for the certificate. The important one is the CN value which must coincide with the way your device is accessed over the network. If you are using IP addresses, then use the IP address as follows. If you are accessing over the internet, then use your fqdn fully qualified domain name.
Common Name (eg, YOUR name) : 192.168.1.12
Now we use the signing request, root certificate and ky to create the final certificate.
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500 -sha256
The files we have now are:
|rootCA.pem||the certificate authority certificate (public)|
|rootCA.key||certificate authority key (private)|
|client.key||client key (private)|
If we need an application (such as a web browser, rabbitMQ etc) to trust our client, then the application will need to be told to trust any certificate signed by the rootCA. In practise this is achieved by providing the application with the path to the rootCA.pem certificate, or via a computer's trusted certificates store. In firefox, you can import the certificate using preferences>advanced>view certificates>import certificate. In windows, for example you can import the rootCA to the trusted certificates store using the certificate manager application.
Change ownership of files to root:ssl-cert
sudo chown -R root:ssl-cert /etc/ssl
Add the following users to group ssl-cert
sudo usermod -a -G ssl-cert grafana sudo usermod -a -G ssl-cert rabbitmq sudo usermod -a -G ssl-cert openldap sudo usermod -a -G ssl-cert zibawa sudo usermod -a -G ssl-cert influxdb sudo usermod -a -G ssl-cert postgres
If necessary, you may need to change permissions of individual certificates to ensure they are as we need:
sudo chmod 640 /path/to/file
Do not be tempted to modify all permissions in ssl to 750, since some applications (such as postgres) will not start.
Now you are ready to configure SSL