Local certificate authority with OpenSSL
A number of features covered in this guide rely on the generation of security certificates that are utilized to identify and authenticate devices when secure connections are established. There are two types of certificates that can be generated in order to use these features: self-signed certificates, which are generated and signed by the device itself and are typically used in non-production testing environments; and signed certificates issued by a trusted certificate authority (CA), which are widely used to validate the identity of clients and servers within an organization or on the public internet.
The following example illustrates how to configure a local certificate authority using Ubuntu Linux and the OpenSSL cryptography library:
root@localca:~# apt-get update root@localca:~# apt-get install openssl root@localca:~# mkdir ./localCA root@localca:~# mkdir ./localCA/private/ root@localca:~# mkdir ./localCA/certs/ root@localca:~# mkdir ./localCA/newcerts/ root@localca:~# touch ./localCA/serial root@localca:~# chmod 777 ./localCA/serial root@localca:~# touch 777 ./localCA/cacert.pem root@localca:~# touch 777 ./localCA/private/cakey.pem root@localca:~# touch 777 ./localCA/index.txt root@localca:~# echo 1000 > ./localCA/serial root@localca:~# chmod 600 ./localCA/index.txt ./localCA/serial /etc/ssl/openssl.cnf root@localca:~# openssl req -newkey rsa:2048 -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 Generating a 2048 bit RSA private key ...............+++ .+++ writing new private key to 'cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:Roseville Organization Name (eg, company) [Internet Widgits Pty Ltd]:HPE Organizational Unit Name (eg, section) []:Aruba Common Name (e.g. server FQDN or YOUR name) []:localCA Email Address []:
Install an SFTP server, such as OpenSSH, and copy the CA root certificate file
cacert.pem into the SFTP root folder. This file will be used in this guide whenever a CA root certificate is required to generate an SSL or TLS certificate.
To utilize a different certificate service platform, refer to the appropriate platform documentation.