CC3100 & CC3200 Generate Certificate

Overview[edit]

This page explains how to generate Certificates, public keys and CA’s.

Software Requirements[edit]

• Latest package of OpenSSL
  • Linux version
  • Windows version

In the installation path \bin library you can find openssl.exe which we will use for all certificate needs. Please refer to the documentation of the OpenSSL tool for detailed usage.

Private Key[edit]

To create a new private key for a certificate: <syntaxhighlight lang="bash"> openssl genrsa -out privkey.pem 2048 </syntaxhighlight> Key attributes:

• The key size is 2048, you can use any protocol key size you want (1024, 2048, 4096…).
• The name of the file is replaceable.
• The default format is PEM which is ascii form. In many systems, the binary format, DER, is more popular because it’s smaller in size. To convert between the formats:

<syntaxhighlight lang="bash"> openssl rsa -in privkey.pem –inform PEM –out privkey.der –outform DER </syntaxhighlight>

Certificate and CA[edit]

The CA (Certificate Authority) is a certificate which is self-signed and is used for signing other certificate. To generate one: <syntaxhighlight lang="bash"> openssl req -new -x509 -days 3650 -key privkey.pem -out root-ca.pem </syntaxhighlight> Key attributes:

• days: It is used to determine how long will this certificate be valid for.
• key: It is the one we generated in the Private Key section of this document, in PEM format.
• The outputis PEM format. To Convert from PEM to DER use:

<syntaxhighlight lang="bash"> openssl x509 -in input.crt -inform PEM –out output.crt -outform DER </syntaxhighlight>

To generate a certificate you first have to prepare the certificate document. That means, similar to making a CA, filling the wanted data like country code name and etc… this is done with the command: <syntaxhighlight lang="bash"> openssl req -new -key privkey.pem -out cert.pem </syntaxhighlight> Key attributes:

• The private key is different from the one used for the CA. make a fresh one. Each certificate should have its own private key.

After generating a certificate form (also called certificate request) you need to sign it with another certificate. Usually we sign it with the CA but if you are making a chain you need to sign it with another cert. To do the signing process: <syntaxhighlight lang="bash"> openssl x509 -req -days 730 -in cert.pem -CA ca.pem -CAkey CAPrivate.pem -set_serial 01 -out cert.pem </syntaxhighlight> Key attributes:

• Here we use the CA. as said you can use whatever certificate you like to sign on the generated certificate.
• Note that the key here is the CA private key.
• The ”days” argument used to determine how long will this certificate be valid for.
• -set_serial 01 is needed. Take it as default.

In conclusion, if you want to generate a CA and then a certificate signed by the CA do the following:

• Generate Private Key for the CA.
• Generate Private Key for the certificate.
• Make a CA with its private key.
• Make a certificate request with its private key.
• Sign the certificate with the CA and the CA private key.
• If you want to make a chain, create another private key and certificate request and sign it with the other certificate.

How to generate sha1 and sign it with a private key[edit]

To make a sha1 code out of data.txt file: <syntaxhighlight lang="bash"> openssl dgst -sha1 data.txt > hash </syntaxhighlight>

To RSA sign this sha1 code with a private key: <syntaxhighlight lang="bash"> openssl dgst –binary –out signature.bin -sha1 -sign privatekey.pem BufferToSign.bin </syntaxhighlight>

Links[edit]

{{#invoke: Navbox | navbox }}