Create and validate the CA certificate

Use OpenSSL tools to generate a CA certificate and then use it to sign device certificates.

1. Download the OpenSSL command line app from openssl.org.
2. Create a CA certificate (cacert.crt) and its private 2048-bit RSA key (cakey.pem) and store cakey.pem in a safe place.

openssl req -nodes -new -newkey rsa:2048 -x509 -extensions v3_ca -keyout cakey.pem -out cacert.crt -days 3650 -subj "[your email information]"

Use the following email information string as an example:

/C=US/ST=MN/L=Townname/O=Companyname/OU=Department/emailAddress=email@company.com/

You will install cacert.crt on your host computer in a following step.

3. Generate a private 2048-bit RSA key for the server and store server.key in a safe place.

openssl genrsa -out server.key 2048

4. Generate a Certificate Signing Request file server.csr. For example:

openssl req -new -key server.key -out server.csr -subj "[your email information]"

Example email information string:

/C=US/ST=MN/L=Townname/O=Companyname/OU=Department2/emailAddress=email@company.com/

Note The Organizational Unit (OU) in this step must be different than the OU used in step 2.

5. With server.csr, generate the actual certificate (server.crt).

openssl x509 -req -days 3650 -CA cacert.crt -CAkey cakey.pem -set_serial 001 -in server.csr -out server.crt

6. Validate the certificates to each other. If this command is successful, the server.crt: OK message appears. If this command fails, an error message appears.

The private CA key is not used in this step.

openssl verify -CAfile cacert.crt server.crt

7. After successfully completing certificate validation in the previous step, concatenate server.crt and server.key to create server.pem.

copy server.crt server.pem

type server.key >> server.pem