...
Code Block |
---|
openssl req -x509 -nodes -newkey rsa:2048 -keyout rsa_private.pem \
-out rsa_cert.pem -subj "/CN=unused" |
...
Code Block |
---|
openssl pkcs8 -topk8 -inform PEM -outform DER -in rsa_private.pem \ -nocrypt > rsa_private_pkcs8 |
...
Code Block |
---|
openssl pkcs8 -topk8 -inform PEM -outform DER -in ec_private.pem \
-nocrypt > ec_private_pkcs8 |
...
You can also use registry-level certificates to verify key credentials.
Generate a signed RS256_X509 device certificate and private key
1. Generate the private key and certificate request. Change the number of days the certificate should be valid as per your requirements:openssl req -newkey rsa:2048 -nodes -days 365000 -keyout client-key.pem -out client-rsa-req.pem
You will be shown this prompt to enter a common name:
Common Name (e.g., server FQDN or YOUR name) []:
Ensure the common name is different from the CA certificate one.
2. Generate the X509 device certificate:openssl x509 -req -days 365000 -set_serial 01 -in client-rsa-req.pem -out client-rsa-cert.pem -CA ca-cert.pem -CAkey ca-key.pem
3. Verify the signed X509 device certificate:openssl verify -CAfile ca-cert.pem ca-cert.pem client-rsa-cert.pem
Generate a signed ES256_X509 device certificate and private key
1. Generate a private key:openssl ecparam -genkey -name prime256v1 -out client-ec-key.pem
2. Generate the certificate request:openssl req -new -key client-ec-key.pem -out client-ec-cert-req.pem
You will be shown this prompt to enter a common name:
Common Name (e.g., server FQDN or YOUR name) []:
Ensure the common name is different from the CA certificate one.
3. Sign the certificate request with the CA and generate the X509 device certificate:openssl x509 -req -days 365 -in client-ec-cert-req.pem -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out client-ec-cert.pem
4. Verify the signed X509 device certificate:openssl verify -CAfile ca-cert.pem ca-cert.pem client-ec-cert.pem