Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
openssl req -x509 -nodes -newkey rsa:2048 -keyout rsa_private.pem \
    -out rsa_cert.pem -subj "/CN=unused"

...

Code Block
openssl pkcs8 -topk8 -inform PEM -outform DER -in rsa_private.pem \
    -nocrypt > rsa_private_pkcs8

...

Code Block
openssl pkcs8 -topk8 -inform PEM -outform DER -in ec_private.pem \
    -nocrypt > ec_private_pkcs8

...

You can also use registry-level certificates to verify key credentials.

Generate a signed RS256_X509 device certificate and private key

1. Generate the private key and certificate request. Change the number of days the certificate should be valid as per your requirements:
openssl req -newkey rsa:2048 -nodes -days 365000 -keyout client-key.pem -out client-rsa-req.pem

You will be shown this prompt to enter a common name:
Common Name (e.g., server FQDN or YOUR name) []:
Ensure the common name is different from the CA certificate one.

2. Generate the X509 device certificate:
openssl x509 -req -days 365000 -set_serial 01 -in client-rsa-req.pem -out client-rsa-cert.pem -CA ca-cert.pem -CAkey ca-key.pem

3. Verify the signed X509 device certificate:
openssl verify -CAfile ca-cert.pem ca-cert.pem client-rsa-cert.pem 

Generate a signed ES256_X509 device certificate and private key

1. Generate a private key:
openssl ecparam -genkey -name prime256v1 -out client-ec-key.pem

2. Generate the certificate request:
openssl req -new -key client-ec-key.pem -out client-ec-cert-req.pem

You will be shown this prompt to enter a common name:
Common Name (e.g., server FQDN or YOUR name) []:
Ensure the common name is different from the CA certificate one.

3. Sign the certificate request with the CA and generate the X509 device certificate:
openssl x509 -req -days 365 -in client-ec-cert-req.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-ec-cert.pem

4. Verify the signed X509 device certificate:
openssl verify -CAfile ca-cert.pem ca-cert.pem client-ec-cert.pem