Certificate Support

Cryptographic certificates are required to use the security features of the WAN transport. This section describes a mechanism to use the OpenSSL command line tool to generate a simple private certificate authority. For more information, see the manual page for the openssl tool (http://www.openssl.org/docs/apps/openssl.html) or the book, "Network Security with OpenSSL" by Viega, Messier, & Chandra (O'Reilly 2002), or other references on Public Key Infrastructure.

1. Initialize the Certificate Authority:
   1. Create a copy of the openssl.cnf file and edit fields to specify the proper default names and paths.
   2. Create the required CA directory structure:

      mkdir myCA

      mkdir myCA/certs

      mkdir myCA/private

      mkdir myCA/newcerts

      mkdir myCA/crl

      touch myCA/index.txt

   3. Create a self-signed certificate and CA private key:

 openssl req -nodes -x509 -days 1095 -newkey rsa:2048 \
      -keyout myCA/private/cakey.pem -out myCA/cacert.pem \
      -config openssl.cnf

2. For each identifying certificate:

1. You may want to create a copy of your customized openssl.cnf file with default identifying information to be used as a template for certificate request creation; the commands below refer to this file as template.cnf.
2. Generate a certificate request and private key:

 openssl req -nodes -new -newkey rsa:2048 -config template.cnf \
      -keyout peer1key.pem -out peer1req.pem 

3. Use the CA to sign the certificate request to generate certificate:

 openssl ca -create_serial -config openssl.cnf -days 365 \
     -in peer1req.pem -out myCA/newcerts/peer1cert.pem

4. Optionally, append the private key to the peer certificate:

 cat myCA/newcerts/peer1cert.pem peer1key.pem \
        $>${private location}/ peer1.pem

© 2015 RTI