Howto:Creating custom Certificates using a OpenSSL Certificate Authority
Applies To
This information applies to
- all compatible linux environments
More Information
Problem Details
To issue a certificate from a custom CA for innovaphone devices which meets the requirements (client and server authentication), you must create a appropriate certificate authority. Here is how.
System Requirements
openssl libary
apt-get install openssl
Configuration
CA
Create CA private key
openssl genrsa -des3 -out ca.key 2048
Create CA public key (liefetime ~10 years)
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.pem
Feel free to create a custom chain with your own intermediate certificate for improved security
Device CRT
Sign CSR (lifetime ~3 months)
openssl x509 -req -in client_csr.pem -CA ca.pem -CAkey ca.key -CAcreateserial -out client_crt.crt -days 90 -sha256
Using the newly created certificate, you can issue proper device certificates for innovaphone devices.
Known Problems
Note on using strong certificate keys:
The innovaphone devices come with an RSA key with a length of 1024 bit and a SHA signature of 256 bit. This should be sufficient for a standard encryption of a UC system. Be sure to read Certificate Key Length and CPU Usage before you create stronger certificates (that is, with larger key length).