Generate a self-signed root certificate
When you move to production, you’ll need to register your fleet root certificate with OTA Connect server. This certificate needs to be signed by a trusted Certificate Authority (CA).
If you don’t yet have your own CA certificate for signing device certificates, you can generate a self-signed certificate for testing.
- To generate a self-signed root certificate, follow these steps:
-
-
Create a directory structure for the keys, and get some sample configurations for the certificates from the OTA Community Edition project:
export SERVER_NAME=myservername export SERVER_DIR="./${SERVER_NAME}" DEVICES_DIR="./${SERVER_NAME}/devices" CWD="${PWD}" mkdir -p "$DEVICES_DIR" certs for file in client.cnf device_ca.cnf server.ext client.ext server.cnf server_ca.cnf; do curl -o certs/$file https://raw.githubusercontent.com/advancedtelematic/ota-community-edition/master/scripts/certs/$file done
Then, generate the key and cert using openssl on the command line:
openssl ecparam -genkey -name prime256v1 | openssl ec -out "${SERVER_DIR}/ca.key" openssl req -new -x509 -days 3650 -config "${CWD}/certs/server_ca.cnf" -key "${SERVER_DIR}/ca.key" \ -out "${SERVER_DIR}/server_ca.pem" openssl ecparam -genkey -name prime256v1 | openssl ec -out "${SERVER_DIR}/server.key" openssl req -new -config "${CWD}/certs/server.cnf" -key "${SERVER_DIR}/server.key" -out "${SERVER_DIR}/server.csr" openssl x509 -req -days 3650 -extfile "${CWD}/certs/server.ext" -in "${SERVER_DIR}/server.csr" -CAcreateserial \ -CAkey "${SERVER_DIR}/ca.key" -CA "${SERVER_DIR}/server_ca.pem" -out "${SERVER_DIR}/server.crt" cat "${SERVER_DIR}/server.crt" "${SERVER_DIR}/server_ca.pem" > "${SERVER_DIR}/server.chain.pem" openssl ecparam -genkey -name prime256v1 | openssl ec -out "${DEVICES_DIR}/ca.key" openssl req -new -x509 -days 3650 -key "${DEVICES_DIR}/ca.key" -config "${CWD}/certs/device_ca.cnf" \ -out "${DEVICES_DIR}/ca.crt"
This will create a
./${SERVER_DIR}/devices/
directory with theca.crt
certificate and aca.key
private key. Keep the private key safe and secure. -
Next, register the test root certificate with your OTA Connect account.
-