Howto:Creating custom Certificates using a OpenSSL Certificate Authority

From innovaphone wiki
Jump to navigation Jump to search

Applies To

This information applies to

  • all compatible linux environments


More Information

Problem Details

To issue a certificate from a custom CA for innovaphone devices which meets the requirements (client and server authentication), you must create a appropriate certificate authority. Here is how.

System Requirements

openssl libary

apt-get install openssl

Configuration

CA

Create CA private key

openssl genrsa -des3 -out ca.key 2048

Create CA public key (liefetime ~10 years)

openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.pem

Feel free to create a custom chain with your own intermediate certificate for improved security

Device CRT

Sign CSR (lifetime ~3 months)

openssl x509 -req -in client_csr.pem -CA ca.pem -CAkey ca.key -CAcreateserial -out client_crt.crt -days 90 -sha256

Using the newly created certificate, you can issue proper device certificates for innovaphone devices.

Known Problems

Note on using strong certificate keys:

The innovaphone devices come with an RSA key with a length of 1024 bit and a SHA signature of 256 bit. This should be sufficient for a standard encryption of a UC system. Be sure to read Certificate Key Length and CPU Usage before you create stronger certificates (that is, with larger key length).

Related Articles