OTA Connect Developer Guide

Generate a self-signed root certificate

When you move to production, you’ll need to register your fleet root certificate with OTA Connect server. This certificate needs to be signed by a trusted Certificate Authority (CA).

If you don’t yet have your own CA certificate for signing device certificates, you can generate a self-signed certificate for testing.

To generate a self-signed root certificate, follow these steps:
  1. Create a directory structure for the keys, and get some sample configurations for the certificates from the OTA Community Edition project:

    export SERVER_NAME=myservername
    export SERVER_DIR="./${SERVER_NAME}" DEVICES_DIR="./${SERVER_NAME}/devices" CWD="${PWD}"
    mkdir -p "$DEVICES_DIR" certs
    for file in client.cnf device_ca.cnf server.ext client.ext server.cnf server_ca.cnf; do
      curl -o certs/$file https://raw.githubusercontent.com/advancedtelematic/ota-community-edition/master/scripts/certs/$file

    Then, generate the key and cert using openssl on the command line:

      openssl ecparam -genkey -name prime256v1 | openssl ec -out "${SERVER_DIR}/ca.key"
      openssl req -new -x509 -days 3650 -config "${CWD}/certs/server_ca.cnf" -key "${SERVER_DIR}/ca.key" \
        -out "${SERVER_DIR}/server_ca.pem"
      openssl ecparam -genkey -name prime256v1 | openssl ec -out "${SERVER_DIR}/server.key"
      openssl req -new -config "${CWD}/certs/server.cnf" -key "${SERVER_DIR}/server.key" -out "${SERVER_DIR}/server.csr"
      openssl x509 -req -days 3650 -extfile "${CWD}/certs/server.ext" -in "${SERVER_DIR}/server.csr" -CAcreateserial \
        -CAkey "${SERVER_DIR}/ca.key" -CA "${SERVER_DIR}/server_ca.pem" -out "${SERVER_DIR}/server.crt"
      cat "${SERVER_DIR}/server.crt" "${SERVER_DIR}/server_ca.pem" > "${SERVER_DIR}/server.chain.pem"
      openssl ecparam -genkey -name prime256v1 | openssl ec -out "${DEVICES_DIR}/ca.key"
      openssl req -new -x509 -days 3650 -key "${DEVICES_DIR}/ca.key" -config "${CWD}/certs/device_ca.cnf" \
        -out "${DEVICES_DIR}/ca.crt"

    This will create a ./${SERVER_DIR}/devices/ directory with the ca.crt certificate and a ca.key private key. Keep the private key safe and secure.

  2. Next, register the test root certificate with your OTA Connect account.