Generate A Self Signed Certificate For Your Industrial Edge Device [Windows]
We discussed self signed certificates in a previous blog post. In this post we look at how to create one for you industrial edge device. The key steps are:
Install Open SSL
To generate self signed certificates we will use OpenSSL. OpenSSL is an open-source software library that provides cryptographic functions and tools. Many web servers and applications rely on OpenSSL for secure communication and encryption, making it a widely used and trusted tool in the realm of network security.
OpenSSL offers various capabilities, including generating and managing certificates, private keys, and public keys. It also provides encryption and decryption functions for data security. It also includes command-line tools that allow users to perform various cryptographic operations, such as creating certificate signing requests, generating self-signed certificates and converting certificate formats.
You can download the software from the Official OpenSSL website: (https://www.openssl.org/)
Once installation is complete you will need to add OpenSSL to your operating system by adding the path to the OpenSSL executable to your environment variables. In our example shown below OpenSSL is installed in the location: C:\Program Files\OpenSSL-Win64\bin:
Once the application has been added to the environment variables we can use the PowerShell to generate the certificates. You can check that OpenSSL is installed and working by running the following command in PowerShell
openssl version With openSSL installed we can now start the process of creating our certificates.
Create a CA certificate
To keep things organised, make a new folder for your certificates. For this example I created a new (empty) folder called "SSLCerts" in my C:\ drive. In power shell navigate to the newly created folder and create a RSA private Key for your CA certificate by running the following command in PowerShell:
openssl genrsa -des3 -out myorg-ca.key 2048
There are various encryption options available (we are using des3 in our example). These options encrypt the private key with the specified cipher before outputting it. You will be prompted for a cipher to use for encrypting the key. This phrase is used in subsequent requests to sign a CSR. The command will output the myorg-ca.key file in the local directory:
Now we can create the CA certificate using the generated key file by running the following command:
openssl req -new -x509 -days 1826 -key myorg-ca.key -out myorg-ca.crt
The command specifies how long this CA certificate will be valid for. Choose an appropriate length of time for your application. The default is 30 days but since this is not for public facing services you can choose a longer time frame. You will be prompted for information regarding the Certification Authority that you are creating. The command will create a certificate, with the provided information, encrypted using the RSA private key:
We now have the CA certificate that we can use to sign CSRs for our industrial Edge Devices. We need a place to store a record of the certificates signed by our CA. For this purpose, create a new empty text file called index.txt in the working directory.
Create a CSR for the Industrial Edge Device
In your working directory create a new folder for the Industrial Edge Device. This is where the RSA key and certificate for the device will be stored. Navigate to the folder and generate the key file:
openssl genrsa -out ied01.key 2048
We now have a key that we can use to create a CSR. When creating a CSR a few options need to be specified most importantly SANs (SubjectAltNames). These are especially important if your using the IP address of the device to create the CSR. SANs is used to specify the hostname in addition to the IP address for the device. You can read about SANs here.
In the folder for you device create a new configuration file and can give it a descriptive name. I created the file named "ied01-ssl.conf". Open the file a text editor and paste in the following contents (modify to suit your situation):
[ca]
default_ca = CA_default
[CA_default]
dir = ../ # directory path where the CA cert is stored
database = $dir/index.txt # file to store the record of signed certs
new_certs_dir = . # directory where the signed certificates will be stored
serial = $dir/serial # serial no generated for the certificates
private_key = $dir/myorg-ca.key
certificate = $dir/myorg-ca.crt
default_days = 3650
default_md = sha256
policy = policy_anything
copy_extensions = copyall
[policy_anything]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
prompt = yes
distinguished_name = req_distinguished_name
req_extensions = v3_ca
[req_distinguished_name]
CN = 192.168.0.115 #IP address hostname for the server - modify to suit
[v3_ca]
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.0.115 #IP address for the server (required) - modify to suit
DNS.1 = ievd-c212cb8e #hostname for the server (required) - modify to suit
To enable connecting to the device using the hostname the DNS name must match the record on your DNS server/default router.
Create a CSR using the key file and configurations by running the following command:
openssl req -new -config ied01-ssl.conf -key ied01.key -out ied01.csrThe command will prompt you to confirm the provided distinguished name and output the CSR:
Generate a self signed Certificate from the CSR
With the CSR created we can generate a certificate and sign it using our CA. Run the following command to generate the certificate:
openssl ca -config ied01-ssl.conf -create_serial -batch -in ied01.csr -out ied01.crt
Upon running the command you will be prompted for the pass phrase (cipher) used to encrypt the CA key. Upon successful completion a new certificate is generate ready for deployment:
The record for the certificate is added to the storage file specified in the configuration (index.txt in out case):
Deploy to your Industrial Edge Device
To deploy the certificate, sign in to the Industrial Edge Device webserver and navigate to Settings>System. Click on “Import Edge Device Certificate”, add the SSL key and certificate file create for the industrial edge device (not the CA):
Click import to upload the certificates to the device.
Install certificates on clients
Installing certificates on the client is just as easy. However before installing the certificates for the industrial edge device we must install the certificate for our CA as a trusted source.
Install CA Certificate
On the client device double click the CA certificate created and click install:
In the certificate import Wizard select Local Machine so that the CA certificate is available for all users/applications. That way all future certificate signed using your created CA will be valid for all user/application using the machine.
Under Certificate Store select “Place all certificates in the following store” and select “Trusted Root Certification Authorities” and click Ok.
Click Next and then Finish to complete the certificate installation. You should be prompted with a success message stating that “The import was successful”. You can view your installed certificate by navigating to “Manage Computer Certificates” under Administrative Tools in control panel:
Install Industrial Edge Device Certificate
To install the certificate, you can copy the industrial edge device certificate to the client or alternatively on you client machine go to the industrial edge devices webserver and from the Sign in page click the download link for “Certificate”:
Double click the downloaded certificate and click install. Store the certificate under Trusted Devices Store:
Click Next and Finish to Complete the installation. You can now restart the browser and navigate to the webserver for the industrial edge device. If the certificates have been correctly configured and installed you should have a valid and secure session established with the server (indicated with by a grey lock in the address bar):
Congratulations you have successfully created and deployed a self signed certificate for your industrial edge device. You can generate a certificate for your other industrial edge devices and industrial edge management server by following the same steps to generate the CSR and using the CA certificate to sign them.
Comments