OTA Connect Developer Guide

Generate a self-signed root certificate

When you move to production, you’ll need to register your Fleet Root certificate with OTA Connect server.

If you don’t yet have your own CA for signing device certificates, you can generate a self-signed certificate for testing.

To generate a self-signed root certificate, follow these steps:
  1. Create a directory structure for the keys, and get some sample configurations for the certificates from the OTA Community Edition project:

    export SERVER_NAME=myservername
    export SERVER_DIR="./${SERVER_NAME}" DEVICES_DIR="./${SERVER_NAME}/devices" CWD="${PWD}"
    mkdir -p "$DEVICES_DIR" certs
    for file in client.cnf device_ca.cnf server.ext client.ext server.cnf server_ca.cnf; do
      curl -o certs/$file https://raw.githubusercontent.com/advancedtelematic/ota-community-edition/master/scripts/certs/$file
    done

    Then, generate the key and cert using openssl on the command line:

      openssl ecparam -genkey -name prime256v1 | openssl ec -out "${SERVER_DIR}/ca.key"
      openssl req -new -x509 -days 3650 -config "${CWD}/certs/server_ca.cnf" -key "${SERVER_DIR}/ca.key" \
        -out "${SERVER_DIR}/server_ca.pem"
    
      openssl ecparam -genkey -name prime256v1 | openssl ec -out "${SERVER_DIR}/server.key"
      openssl req -new -config "${CWD}/certs/server.cnf" -key "${SERVER_DIR}/server.key" -out "${SERVER_DIR}/server.csr"
      openssl x509 -req -days 3650 -extfile "${CWD}/certs/server.ext" -in "${SERVER_DIR}/server.csr" -CAcreateserial \
        -CAkey "${SERVER_DIR}/ca.key" -CA "${SERVER_DIR}/server_ca.pem" -out "${SERVER_DIR}/server.crt"
      cat "${SERVER_DIR}/server.crt" "${SERVER_DIR}/server_ca.pem" > "${SERVER_DIR}/server.chain.pem"
    
      openssl ecparam -genkey -name prime256v1 | openssl ec -out "${DEVICES_DIR}/ca.key"
      openssl req -new -x509 -days 3650 -key "${DEVICES_DIR}/ca.key" -config "${CWD}/certs/device_ca.cnf" \
        -out "${DEVICES_DIR}/ca.crt"

    This will create a ./${SERVER_DIR}/devices/ directory with the ca.crt certificate and a ca.key private key. Keep the private key safe and secure.

  2. Next, register the test root certificate with your OTA Connect account.