Manualshelf

User's Manual

ManualsBrandsIngenu ManualsElectronicsULP Tracker
16171819202122232425
On-Ramp Wireless Confidential and Proprietary 17 010-0059-00 Rev. A
Appendix B Creating SSL Certificates
This appendix describes the steps necessary to create signed SSL Authentication Certificates for
the LKS server. It is necessary to create a signed certificate for the LKS server as well as for each
client running the eNode Key Provisioning Utility. Note that certificate generation and signing
does not need to be performed on the machine that will be using the signed certificate.
NOTE: It is recommended that all certificate signing be performed on a secure server. Creation
of signed SSL Authentication Certificates is typically done by the IT department on a
separate and secure server. Under no circumstances should the CA private key be left
on an unsecured machine (such as the NPT).
The Certificate Authority (CA) is the entity that signs certificate requests to generate certificates.
The CA can be an actual CA (such as VeriSign, etc.) or the LKS owner can act as its own CA.
Unlike the LKS servers or NPT clients, which must have certificates with Common Name fields
that match their respective IP addresses or hostnames, the CA does not have this restriction.
Any secure computer can be used as the CA to sign certificates. However, the CA certificate
should not use the same Common Name as any of the LKS server or NPT client certificates it is
signing.
B.1 Generating a CA Certificate
On a secure server configured to act as a certificate authority, perform the following steps:
1. An RSA private/public key pair is needed to create a CA certificate. If an existing RSA key pair
is not already available for the CA, follow the instructions in Appendix A: Creating RSA Keys
to generate the keys.
2. Save the keys to an unencrypted PEM file format (for example, ca_key.priv.pem and
ca_key.pub.pem). A 2048-bit key length should be sufficient.
NOTE: The CA private key must be kept secure at all times. It should never be copied to an
unsecure computer. Ideally, certificate signing should be performed on a dedicated
security server.
3. Generate the CA certificate using the following command. Note that some filenames are
user-defined.
openssl req new x509 days <365> key <ca_key.priv.pem> out
<ca_cert.crt>
4. You are prompted for information regarding the Certificate Authority. Enter the requested
information as appropriate. Examples are provided in the following list.
NOTE: Be sure to use a different Common Name for the CA certificate than that used by
any of the other certificates it signs.
Common Name = <IP Address or Qualified Domain Name>