Page 1
Introduction
Installing OpenSSL on
Windows
1
2
Generating SSH Keys and SSL
Certificates for ROS and ROX
Using Windows
AN22
Application Note
Installing the Scripts
Using Scripts to Create SSL
Certificates
Using the Scripts to Create
SSH Keys for ROS
Adding a Root CA Certificate
to the List of Trusted Root
CAs
PEM Formatted Certificates
and Keys
Generating a Certificate
from a Certificate Request in
Windows 2008 CA
Frequently Asked Questions
(FAQs)
3
4
5
6
7
8
9
6/2013
Page 2
RUGGEDCOM
Application Note
Copyright © 2013 RuggedCom Inc.
All rights reserved. Dissemination or reproduction of this document, or evaluation and communication of its contents, is not authorized
except where expressly permitted. Violations are liable for damages. All rights reserved, particularly for the purposes of patent application or
trademark registration.
This document contains proprietary information, which is protected by copyright. All rights are reserved. No part of this document may be
photocopied, reproduced or translated to another language without the prior written consent of RuggedCom Inc.
Disclaimer Of Liability
Siemens has verified the contents of this manual against the hardware and/or software described. However, deviations between the product
and the documentation may exist.
Siemens shall not be liable for any errors or omissions contained herein or for consequential damages in connection with the furnishing,
performance, or use of this material.
The information given in this document is reviewed regularly and any necessary corrections will be included in subsequent editions. We
appreciate any suggested improvements. We reserve the right to make technical improvements without notice.
Registered Trademarks
ROX™, Rugged Operating System On Linux™, CrossBow™ and eLAN™ are trademarks of Siemens AG. ROS® is a registered trademark of
Siemens AG.
OpenNMS® is a registered trademark of The OpenNMS Group, Inc.
Microsoft Windows XP and Microsoft Windows 7 are registered trademarks of Microsoft Corporation in the United States and other countries.
Other designations in this manual might be trademarks whose use by third parties for their own purposes would infringe the rights of the
owner.
Security Information
Siemens provides automation and drive products with industrial security functions that support the secure operation of plants or machines.
They are an important component in a holistic industrial security concept. With this in mind, our products undergo continuous development.
We therefore recommend that you keep yourself informed with respect to our product updates. Please find further information and newsletters
on this subject at: http://support.automation.siemens.com.
To ensure the secure operation of a plant or machine it is also necessary to take suitable preventive action (e.g. cell protection concept) and
to integrate the automation and drive components into a state-of-the-art holistic industrial security concept for the entire plant or machine.
Any third-party products that may be in use must also be taken into account. Please find further information at: http://www.siemens.com/
industrialsecurity.
Contacting Siemens
Address
Siemens AG
Industry Sector
300 Applewood Crescent
Concord, Ontario
Canada, L4K 5C7
Telephone
Toll-free: 1 888 264 0006
Tel: +1 905 856 5288
Fax: +1 905 856 1995
E-mail
RuggedSales@RuggedCom.com
Web
www.RuggedCom.com
ii
Page 3
RUGGEDCOM
Application Note
Table of Contents
Table of Contents
Chapter 1
Introduction .......................................................................................................... 1
Chapter 2
Installing OpenSSL on Windows ......................................................................... 3
Chapter 3
Installing the Scripts ............................................................................................ 5
Chapter 4
Using Scripts to Create SSL Certificates ............................................................ 7
4.1 Scenario 1: The Machine Hosting the Scripts Becomes the Root CA ............................................... 7
4.2 Scenario 2: The CA Resides Elsewhere ........................................................................................ 9
4.3 Scenario 3: Self-Signed Device Certificates ................................................................................. 11
Chapter 5
Using the Scripts to Create SSH Keys for ROS ................................................ 15
Chapter 6
Adding a Root CA Certificate to the List of Trusted Root CAs ........................... 17
Chapter 7
PEM Formatted Certificates and Keys .............................................................. 19
Chapter 8
Generating a Certificate from a Certificate Request in Windows 2008 CA ........ 21
Chapter 9
Frequently Asked Questions (FAQs) ................................................................. 27
iii
Page 4
Table of Contents
RUGGEDCOM
Application Note
iv
Page 5
RUGGEDCOM
Application Note
Introduction
ROS (beginning with ROS v3.12.1 and onwards) and ROX can accept SSL certificates and SSH keys created
externally. This document, along with some useful scripts developed by Siemens, is intended to help users
working with Microsoft Windows® to generate their own keys and certificates for their ROS and/or ROX devices.
The Microsoft Windows Operating System has a Certificates Management console. However, the nature of key
creation and export is not particularly suitable for ROS/ROX purposes. A separate key and certificate generation
application is required.
There are many free, open source applications, such as OpenSSH and PuTTygen, that can create keys and
certificates. The instructions in this document utilize OpenSSL, a free cryptography toolkit, to generate both SSH
and SSL keys, as well as SSL certificates.
ROS and ROX will accept self-signed certificates or certificates signed by a Certificate Authority (CA). This
document will make the Windows machine a Certificate Authority (CA) and sign certificates.
IMPORTANT!
Normally, the steps involved in creating the private key and creating the Certificate Signing Request
(CSR) are the ones that will be performed if a Certificate Chain of Trust is implemented in the
organization. The CSR files are then submitted to the appropriate department for it to be signed by
a CA. Once the certificate is issued, it is then uploaded to the device in the required format. When
certificates are self-signed, the trust (identity establishment) part of SSL cannot work because each
server is essentially its own CA. For the purpose of security, it is recommended that a proper Chain of
Trust is implemented for SSL.
Chapter 1
Introduction
This document describes:
• How to generate SSL certificates and SSH keys for ROS using Siemens scripts
• How to generate SSL keys and certificates for ROX using Siemens scripts
• How to import certificates on Windows machines so the SSL certificates provided by these devices can be
verified properly
1
Page 6
RUGGEDCOM
Application Note
Chapter 1
Introduction
2
Page 7
RUGGEDCOM
Application Note
Installing OpenSSL on Windows
Installing OpenSSL on Windows
To install OpenSSL on Windows, do the following:
1. Download the OpenSSL Setup program (without sources) for Windows from http://gnuwin32.sourceforge.net/
packages/openssl.htm.
2. Double-click the downloaded file and install OpenSSL. During the installation process, change the installation
directory to C:\OpenSSL\. This is essential for the scripts to generate the certificates and keys properly.
Chapter 2
3
Page 8
RUGGEDCOM
Application Note
Installing OpenSSL on Windows
Chapter 2
4
Page 9
RUGGEDCOM
Application Note
Installing the Scripts
Installing the Scripts
To install the scripts, extract the contents of the Zip file (AN22.zip) obtained from Siemens into an appropriate
location on the script machine (the computer/server that hosts the scripts). A folder titled RCKeyGen will be
placed in the chosen location.
Chapter 3
5
Page 10
RUGGEDCOM
Application Note
Installing the Scripts
Chapter 3
6
Page 11
RUGGEDCOM
Application Note
Using Scripts to Create SSL Certificates
Using Scripts to Create SSL
Certificates
The scripts provided by Ruggedcom can be used in three different infrastructure scenarios.
• Section 4.1, “Scenario 1: The Machine Hosting the Scripts Becomes the Root CA”
• Section 4.2, “Scenario 2: The CA Resides Elsewhere”
• Section 4.3, “Scenario 3: Self-Signed Device Certificates”
Section 4.1
Scenario 1: The Machine Hosting the Scripts
Becomes the Root CA
Chapter 4
In the first scenario, the machine that hosts the scripts is the Root CA and it directly issues keys and certificates
for the ROS and ROX devices. In this case the certificate requests generated for each device will be signed by
the Root CA, which is also generated on the same machine hosting the scripts.
NOTE
The Root CA’s certificate and private key will also be created and need to be protected after issuing the
certificates.
Scenario 1: The Machine Hosting the Scripts Becomes
the Root CA 7
Page 12
Chapter 4
Using Scripts to Create SSL Certificates
RUGGEDCOM
Application Note
1
3
Figure 1: Scenario 1
1. Root Certificate Authority (CA) 2. Certificate 3. ROS/ROX Devices
2
1. Navigate to the RCKeyGen folder on the script machine and open the file config.txt in a text editor.
NOTE
Do not use the default parameters provided in the config.txt file. They are provided as an
example only.
2. Make sure CREATE_ROOTCA equals 1.
3. Update the other parameters with relevant values.
4. Save and close the file.
5. Open the file device_data.txt in a text editor and replace the current content with a list of addresses
(one per line) for devices for which certificates are to be generated. The script will take the list of addresses
and use them as the Common Name parameter in the Distinguished name field (i.e. the Subject Identifier in
an X.509 certificate). The script can take both IP addresses and DNS names for the switches. The list must
have some addresses for the script to generate certificates.
NOTE
Setting the Common Name (IP address/DNS address) correctly will make sure browsers do not
complain about the certificate Common Name not matching the URL. The switch will also have
to be accessed using the DNS name or the IP address that was provided in device_data.txt.
Configuring an IP address for the Common Name and then accessing the unit with a DNS name
(or vice versa) will cause the browser to complain.
6. Save and close the file.
NOTE
For Windows XP, scripts should be launched through the command prompt in the same order as
described in this procedure.
8
Scenario 1: The Machine Hosting the Scripts Becomes
the Root CA
Page 13
RUGGEDCOM
Application Note
Using Scripts to Create SSL Certificates
7. Double-click the script 1_ssl_root_CA_certgen.vbs to generate the root certificate.
8. Double-click the script 02_ssl_device_certgen.vbs to generate a certificate for each device listed in
device_data.txt and have them signed by the Root CA. When the script asks if the certificates need to
be self-signed, click No.
9. Double-click the script 03_ssl_formatting.vbs to convert the certificates into PEM format and clean up
any files that were created by the scripts. The finished certificates are available in the SSL_certs folder and
named according to their associated device, as defined in device_data.txt.
10. Upload the created certificates to their respective devices. For more information about uploading the
certificates, refer to the User Guide for the device.
Section 4.2
Scenario 2: The CA Resides Elsewhere
In this scenario, it is assumed that a CA has already been established in the organization, which can be used to
accept certificate requests from the computer that hosts the scripts and signs the certificates for ROS and ROX
devices. In this case, the script will simply generate a key and a corresponding certificate request, which will
then have to be submitted to the CA for a certificate to be issued. Once the certificates have been issued, the
certificate files will have to be copied to the SSL_certs folder (where the keys and the original signing requests
are still present). Once the certificates are placed in the SSL_certs folder, a script needs to be executed to
convert the certificates into PEM format, which is compatible with ROS devices.
Chapter 4
NOTE
For examples of PEM formatted certificates and keys, refer to Chapter 7, PEM Formatted Certificates
and Keys.
Scenario 2: The CA Resides Elsewhere 9
Page 14
Chapter 4
Using Scripts to Create SSL Certificates
2
RUGGEDCOM
Application Note
1
3
5
6
7
4
Figure 2: Scenario 2
1. Root Certificate Authority (CA) 2. Certificate Authorities (CAs) 3. Certificate 4. Certificate Request 5. Script Machine 6. ROS/
ROX Compatible Certificate 7. ROS/ROX Devices
1. Navigate to the RCKeyGen folder on the script machine and open the file config.txt in a text editor.
NOTE
Do not use the default the parameters provided in the config.txt file. They are provided as an
example only.
2. Make sure CREATE_ROOTCA equals 0.
10 Scenario 2: The CA Resides Elsewhere
Page 15
RUGGEDCOM
Application Note
3. Update the other parameters with relevant values.
4. Save and close the file.
5. Open the file device_data.txt in a text editor and replace the current content with a list of addresses
(one per line) for devices for which certificates are to be generated. The script will take the list of addresses
and use them as the Common Name parameter in the Distinguished name field (i.e. the Subject Identifier in
an X.509 certificate). The script can take both IP addresses and DNS names for the switches. The list must
have some addresses for the script to generate certificates.
Using Scripts to Create SSL Certificates
NOTE
Setting the Common Name (IP address/DNS address) correctly will make sure browsers do
not complain about the certificate Common Name not matching the URL. The switch or router
will also have to be accessed using the DNS name or the IP address that was provided in
device_data.txt. Configuring an IP address for the Common Name and then accessing the
unit with a DNS name (or vice versa) will cause the browser to complain.
6. Save and close the file.
NOTE
For Windows XP, scripts should be launched through the command prompt in the same order as
described in this procedure.
Chapter 4
7. Double-click the script 02_ssl_device_certgen.vbs to generate a certificate signing request for each
device listed in device_data.txt. When the script asks if the certificates need to be self-signed, click No.
The SSL_certs folder now has both keys and Certificate Signing Requests for the ROS/ROX devices. The
CSRs need to be exported to and signed by the organizational CA.
8. Generate certificates from the Certificate Signing Requests. For more information, refer to Chapter 8,
Generating a Certificate from a Certificate Request in Windows 2008 CA.
9. Copy the certificates issued by the CA to the SSL_certs folder.
10. Double-click the script 03_ssl_formatting.vbs to convert the certificates into PEM format and clean up
any files that were created by the scripts. The finished certificates are available in the SSL_certs folder and
named according to their associated device, as defined in device_data.txt.
11. Upload the certificates to their respective devices. For more information about uploading the certificates,
refer to the User Guide for the device.
Section 4.3
Scenario 3: Self-Signed Device Certificates
In this scenario, each device certificate is signed by itself. If a CA has not been established in the organization
or a Root CA in the host computer is not desirable, perform the following steps to generate self-signed device
certificates that are signed by themselves.
NOTE
It is recommended to get the certificates for each device signed by a trusted Certificate Authority.
Scenario 3: Self-Signed Device Certificates 11
Page 16
Chapter 4
Using Scripts to Create SSL Certificates
RUGGEDCOM
Application Note
1
3
Figure 3: Scenario 3
1. Script Machine 2. Certificate 3. ROS/ROX Devices
2
1. Navigate to the RCKeyGen folder on the script machine and open the file device_data.txt in a text
editor.
2. Replace the current content with a list of addresses (one per line) for devices for which certificates are to
be generated. The script will take the list of addresses and use them as the Common Name parameter in
the Distinguished name field (i.e. the Subject Identifier in an X.509 certificate). The script can take both IP
addresses and DNS names for the switches. The list must have some addresses for the script to generate
certificates.
NOTE
Setting the Common Name (IP address/DNS address) correctly will make sure browsers do not
complain about the certificate Common Name not matching the URL. The switch will also have
to be accessed using the DNS name or the IP address that was provided in device_data.txt.
Configuring an IP address for the Common Name and then accessing the unit with a DNS name
(or vice versa) will cause the browser to complain.
3. Save and close the file.
NOTE
For Windows XP, scripts should be launched through the command prompt in the same order as
described in this procedure.
4. Double-click the script 02_ssl_device_certgen.vbs to generate a certificate for each device listed in
device_data.txt and have them signed by the Root CA. When the script asks if the certificates need to
be self-signed, click Yes.
12 Scenario 3: Self-Signed Device Certificates
Page 17
RUGGEDCOM
Application Note
Using Scripts to Create SSL Certificates
5. Double-click the script 03_ssl_formatting.vbs to convert the certificates into PEM format and clean up
any files that were created by the scripts. The finished certificates are available in the SSL_certs folder and
named according to their associated device, as defined in device_data.txt.
6. Upload the certificates to their respective devices. For more information about uploading the certificates,
refer to the User Guide for the device.
Chapter 4
Scenario 3: Self-Signed Device Certificates 13
Page 18
RUGGEDCOM
Application Note
Using Scripts to Create SSL Certificates
Chapter 4
Scenario 3: Self-Signed Device Certificates 14
Page 19
RUGGEDCOM
Application Note
Using the Scripts to Create SSH Keys for ROS
Using the Scripts to Create SSH
Keys for ROS
The generation of SSH keys is a single step process.
NOTE
For information on how to regenerate SSH keys for ROX, refer to the ROX User Guide for the device.
1. Navigate to the RCKeyGen folder on the script machine and open the file device_data.txt in a text
editor.
2. Replace the current content with a list of addresses (one per line) for devices for which SSH keys are to be
generated. The script can take both IP addresses and DNS names. The list must have some addresses for
the script to generate keys.
3. Save and close the file.
Chapter 5
NOTE
For Windows XP, scripts should be launched through the command prompt in the same order as
described in this procedure.
4. Double-click the script 4_ssh_keygen.vbs. The keys are generated and saved in the SSH_keys folder.
5. The keys are now available for upload in the SSH_keys folder.
6. Upload the keys to their respective ROS devices. For more information about uploading the keys, refer to the
latest ROS User Guide for your device.
15
Page 20
RUGGEDCOM
Application Note
Using the Scripts to Create SSH Keys for ROS
Chapter 5
16
Page 21
RUGGEDCOM
Application Note
Adding a Root CA Certificate to the List of Trusted Root
Adding a Root CA Certificate to
the List of Trusted Root CAs
In order for a certificate to be trusted, and often for a secure connection to be established, the certificate must
have been issued by a CA that is included in the trusted store of the device that is connecting. If it is not in the
list when a Web session to the device is opened, a warning message may appear stating the security certificate
presented by the website was not issued by a trusted Certificate Authority.
To prevent this warning message in Internet Explorer®, perform the following procedure to add a Root CA
certificate to the trusted Root CA list:
NOTE
This procedure is only applicable when device certificates are signed by a CA. For more information
about signing device certificates, refer to Section 4.1, “Scenario 1: The Machine Hosting the Scripts
Becomes the Root CA” and Section 4.2, “Scenario 2: The CA Resides Elsewhere”.
1. Open Internet Explorer.
Chapter 6
CAs
2. Under Tools, click Internet Options.
3. Select the Content tab and click Certificates. The Certificates dialog box appears.
Figure 4: Certificates Dialog Box
4. Select the Trusted Root Certification Authorities tab and click Import. The Certificate Import Wizard
dialog box appears.
17
Page 22
Chapter 6
Adding a Root CA Certificate to the List of Trusted Root
Application Note
CAs
Figure 5: Certificate Import Wizard Dialog Box
5. Follow the on-screen instructions to locate the root certificate file and make sure it is placed in the Trusted
Root Certification Authorities store. When finished, a security warning will be displayed. Click Yes to
acknowledge
6. Acknowledge all other messages and close all dialog boxes.
7. In Internet Explorer, open a Web session to the device. The warning message should not appear.
RUGGEDCOM
18
Page 23
RUGGEDCOM
Application Note
PEM Formatted Certificates and
Keys
The following is an example of a PEM formatted SSH key:
-----BEGIN RSA PRIVATE KEY----MIICXAIBAAKBgQC3xOHodmmPghN1uWuFs9WdURkT9Ngjh7ded8BRa1PP3xUFzYSp
UIq5QB2zU0UsHE0fGRWqYr8GA4r59KIDhhV5J2D/dIL9qCGklWNPBamZCVu+4N5M
5L//Ga8N5lv3AbGSfEsiiyA38uNNR5B6QzpXuTbEBUq84hlD4wDiL78eKwIDAQAB
AoGBAI2CXHuHg23wuk9zAusoOhw0MN1/M1jYz0k9aajIvvdZT3Tyd29yCADy8GwA
eUmoWXLS/C4CcBqPa9til8ei3rDn/w8dveVHsi9FXjtVSYqN+ilKw+moMAjZy4kN
/kpdpHMohwv/909VWR1AZbr+YTxaG/++tKl5bqXnZl4wHF8xAkEA5vwut8USRg2/
TndOt1e8ILEQNHvHQdQr2et/xNH4ZEo7mqot6skkCD1xmxA6XG64hR3BfxFSZcew
Wr4SOFGCtQJBAMurr5FYPJRFGzPM3HwcpAaaMIUtPwNyTtTjywlYcUI7iZVVfbdx
4B7qOadPybTg7wqUrGVkPSzzQelz9YCSSV8CQFqpIsEYhbqfTLZEl83YjsuaE801
xBivaWLIT0b2TvM2O7zSDOG5fv4I990v+mgrQRtmeXshVmEChtKnBcm7HH0CQE6B
2WUfLArDMJ8hAoRczeU1nipXrIh5kWWCgQsTKmUrafdEQvdpT8ja5GpX2Rp98eaU
NHfI0cP36JpCdome2eUCQDZN9OrTgPfeDIXzyOiUUwFlzS1idkUGL9nH86iuPnd7
WVF3rV9Dse30sVEk63Yky8uKUy7yPUNWldG4U5vRKmY=
-----END RSA PRIVATE KEY-----
PEM Formatted Certificates and Keys
Chapter 7
The following is an example of a PEM formatted SSL certificate:
-----BEGIN CERTIFICATE----MIIC9jCCAl+gAwIBAgIJAJh6rrehMt3iMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYD
VQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEQMA4GA1UEBxMHQ29uY29yZDESMBAG
A1UEChMJUnVnZ2VkY29tMRkwFwYDVQQLExBDdXN0b21lciBTdXBwb3J0MSYwJAYD
VQQDEx1XUy1NSUxBTkdPVkFOLlJVR0dFRENPTS5MT0NBTDEkMCIGCSqGSIb3DQEJ
ARYVc3VwcG9ydEBydWdnZWRjb20uY29tMB4XDTEyMTAyMzIxMTA1M1oXDTE3MTAy
MjIxMTA1M1owgZwxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYD
VQQHEwdDb25jb3JkMRIwEAYDVQQKEwlSdWdnZWRDb20xGTAXBgNVBAsTEEN1c3Rv
bWVyIFN1cHBvcnQxFDASBgNVBAMTCzE5Mi4xNjguMS4yMSQwIgYJKoZIhvcNAQkB
FhVTdXBwb3J0QHJ1Z2dlZGNvbS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBALfE4eh2aY+CE3W5a4Wz1Z1RGRP02COHt153wFFrU8/fFQXNhKlQirlAHbNT
RSwcTR8ZFapivwYDivn0ogOGFXknYP90gv2oIaSVY08FqZkJW77g3kzkv/8Zrw3m
W/cBsZJ8SyKLIDfy401HkHpDOle5NsQFSrziGUPjAOIvvx4rAgMBAAGjLDAqMAkG
A1UdEwQCMAAwHQYDVR0OBBYEFER0utgQOifnrflnDtsqNcnvRB0XMA0GCSqGSIb3
DQEBBQUAA4GBAHtBsNZuh8tB3kdqR7Pn+XidCsD70YnI7w0tiy9yiRRhARmVXH8h
5Q1rOeHceri3JFFIOxIxQt4KgCUYJLu+c9Esk/nXQQar3zR7IQCt0qOABPkviiY8
c3ibVbhJjLpR2vNW4xRAJ+HkNNtBOg1xUlp4vOmJ2syYZR+7XAy/OP/S
-----END CERTIFICATE-----
The following is an example of the combined certificate and key format used by both ROS and ROX:
-----BEGIN CERTIFICATE----MIIC9jCCAl+gAwIBAgIJAJh6rrehMt3iMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYD
VQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEQMA4GA1UEBxMHQ29uY29yZDESMBAG
A1UEChMJUnVnZ2VkY29tMRkwFwYDVQQLExBDdXN0b21lciBTdXBwb3J0MSYwJAYD
VQQDEx1XUy1NSUxBTkdPVkFOLlJVR0dFRENPTS5MT0NBTDEkMCIGCSqGSIb3DQEJ
ARYVc3VwcG9ydEBydWdnZWRjb20uY29tMB4XDTEyMTAyMzIxMTA1M1oXDTE3MTAy
MjIxMTA1M1owgZwxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYD
VQQHEwdDb25jb3JkMRIwEAYDVQQKEwlSdWdnZWRDb20xGTAXBgNVBAsTEEN1c3Rv
bWVyIFN1cHBvcnQxFDASBgNVBAMTCzE5Mi4xNjguMS4yMSQwIgYJKoZIhvcNAQkB
FhVTdXBwb3J0QHJ1Z2dlZGNvbS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
19
Page 24
Chapter 7
PEM Formatted Certificates and Keys
AoGBALfE4eh2aY+CE3W5a4Wz1Z1RGRP02COHt153wFFrU8/fFQXNhKlQirlAHbNT
RSwcTR8ZFapivwYDivn0ogOGFXknYP90gv2oIaSVY08FqZkJW77g3kzkv/8Zrw3m
W/cBsZJ8SyKLIDfy401HkHpDOle5NsQFSrziGUPjAOIvvx4rAgMBAAGjLDAqMAkG
A1UdEwQCMAAwHQYDVR0OBBYEFER0utgQOifnrflnDtsqNcnvRB0XMA0GCSqGSIb3
DQEBBQUAA4GBAHtBsNZuh8tB3kdqR7Pn+XidCsD70YnI7w0tiy9yiRRhARmVXH8h
5Q1rOeHceri3JFFIOxIxQt4KgCUYJLu+c9Esk/nXQQar3zR7IQCt0qOABPkviiY8
c3ibVbhJjLpR2vNW4xRAJ+HkNNtBOg1xUlp4vOmJ2syYZR+7XAy/OP/S
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY----MIICXAIBAAKBgQC3xOHodmmPghN1uWuFs9WdURkT9Ngjh7ded8BRa1PP3xUFzYSp
UIq5QB2zU0UsHE0fGRWqYr8GA4r59KIDhhV5J2D/dIL9qCGklWNPBamZCVu+4N5M
5L//Ga8N5lv3AbGSfEsiiyA38uNNR5B6QzpXuTbEBUq84hlD4wDiL78eKwIDAQAB
AoGBAI2CXHuHg23wuk9zAusoOhw0MN1/M1jYz0k9aajIvvdZT3Tyd29yCADy8GwA
eUmoWXLS/C4CcBqPa9til8ei3rDn/w8dveVHsi9FXjtVSYqN+ilKw+moMAjZy4kN
/kpdpHMohwv/909VWR1AZbr+YTxaG/++tKl5bqXnZl4wHF8xAkEA5vwut8USRg2/
TndOt1e8ILEQNHvHQdQr2et/xNH4ZEo7mqot6skkCD1xmxA6XG64hR3BfxFSZcew
Wr4SOFGCtQJBAMurr5FYPJRFGzPM3HwcpAaaMIUtPwNyTtTjywlYcUI7iZVVfbdx
4B7qOadPybTg7wqUrGVkPSzzQelz9YCSSV8CQFqpIsEYhbqfTLZEl83YjsuaE801
xBivaWLIT0b2TvM2O7zSDOG5fv4I990v+mgrQRtmeXshVmEChtKnBcm7HH0CQE6B
2WUfLArDMJ8hAoRczeU1nipXrIh5kWWCgQsTKmUrafdEQvdpT8ja5GpX2Rp98eaU
NHfI0cP36JpCdome2eUCQDZN9OrTgPfeDIXzyOiUUwFlzS1idkUGL9nH86iuPnd7
WVF3rV9Dse30sVEk63Yky8uKUy7yPUNWldG4U5vRKmY=
-----END RSA PRIVATE KEY-----
RUGGEDCOM
Application Note
20
Page 25
RUGGEDCOM
Application Note
Generating a Certificate from a Certificate Request in
Windows 2008 CA
Generating a Certificate from a
Certificate Request in Windows
2008 CA
If there is an existing windows certificate server in the organization, perform the following procedure to generate
the certificate in a windows 2008 server:
1. Copy and paste the CSR file generated in the script machine to any folder in your CA. In this example the
CSR files are copied to C:\.
2. Click Start, select Administrative Tools and click Certificate Authority. The certsrv window appears.
Chapter 8
Figure 6: Certsrv Window
This window lists all of the domains that are part of the root CA.
3. Right-click the domain for which a certificate will be generated, select All Tools and click Submit New
Request. The Open Request File dialog box appears.
21
Page 26
Chapter 8
Generating a Certificate from a Certificate Request in
Windows 2008 CA
Figure 7: Open Request File Dialog Box
4. Select the CSR file and click Open.
5. Navigate to the Pending Requests folder. If the certificate request is uploaded properly, the request will
appear in this folder.
RUGGEDCOM
Application Note
Figure 8: Pending Requests Folder
6. When the request has been received, right-click the request, select All Tasks and click Issue. The request is
signed by the CA and the certificate is issued.
22
Page 27
RUGGEDCOM
Application Note
Figure 9: Issuing the Certificate
7. Navigate to the Issued Certificates folder.
Generating a Certificate from a Certificate Request in
Chapter 8
Windows 2008 CA
Figure 10: Issued Certificates Folder
8. Double-click on the certificate. The Certificate dialog box appears.
23
Page 28
Chapter 8
Generating a Certificate from a Certificate Request in
Windows 2008 CA
Figure 11: Certificate Dialog Box
Application Note
9. Click the Details tab. This displays the distinguished name parameters for the certificate.
10. Verify the distinguished name parameters are correct and then click Copy to File. The Certificate Export
Wizard dialog box appears.
RUGGEDCOM
Figure 12: Certificate Export Wizard
11. Follow the on-screen instructions and note the following:
• When the wizard asks which format to use, select Base-64 encoded X.509 (.CER).
• Make sure the name of the final certificate is consistent with the name of the device as defined in
device_data.txt. For example, if the device hostname is 172.30.129.9, the file should be named
172.30.129.9.crt.
24
Page 29
RUGGEDCOM
Application Note
Generating a Certificate from a Certificate Request in
Windows 2008 CA
Figure 13: Export File Format Screen
12. Copy the certificate to the SSL_certs folder.
13. Make sure a matching *.key file is present in the SSL_certs folder.
14. Double-click the script 03_ssl_formatting.vbs to convert the certificates into PEM format and clean up
any files that were created by the scripts. The finished certificates are available in the SSL_certs folder and
named according to their associated device, as defined in device_data.txt.
Chapter 8
25
Page 30
RUGGEDCOM
Application Note
Generating a Certificate from a Certificate Request in
Chapter 8
Windows 2008 CA
26
Page 31
RUGGEDCOM
Application Note
Frequently Asked Questions (FAQs)
Frequently Asked Questions
(FAQs)
Q: What should I do if my root CA’s certificate has expired or I have a new root CA in my organization?
A: If the existing root CA’s certificate has expired or if you want to sign all of your existing device certificates
using a new root CA, then all the device certificates has to be replaced with a new certificate signed by the
new root CA. Follow the steps described in scenario 1 or scenario 2 (depending on your setup) to generate
the root CA certificate and device certificate. Upload the new device certificates to ROS devices.
Q: How should I replace a device certificate after expiry or how should I generate a certificate for a new
device?
A: If there is a new device in your organization which has to be signed or if a certificate for a device has to be
regenerated after expiry, refer to one of the three scenarios (depending on your setup) described in the SSL
certificates section of this document. Open the ` SSL_certs` folder and delete the expired device certificates
if necessary and then open the `device_data.txt` file to add new device name. When creating certificates for
new devices if you do not want to recreate device certificates for the existing devices for which certificates
were previously created and uploaded, you can delete the old device names from the device_data.txt.
Note that if you need to follow scenario 1 and you already have a valid Root CA in the SSL_certs folder,
there is no need to run 1_ssl_root_CA_certgen.vbs script to generate a Root CA and in this case set the
value for the `CREATE_ROOTCA=1` in the config.txt. Follow all of the remaining steps described in the test
scenarios.
Chapter 9
Q: Do I need to use these scripts or OpenSSL? Is there another approach?
A: Customers are free to use any key/certificate generation software they choose.
27
Page 32
RUGGEDCOM
Application Note
Frequently Asked Questions (FAQs)
Chapter 9
28
Loading...