Technical information

ManualsBrandsMotorola ManualsNetwork CardW24

131

132

133

134

135

136

137

138

139

140

Secure Socket Protocol Theory of Operation

2-98 AT+i Commands Reference Manual May 31, 2008

Creating a Self-Signed Root Certificate

A certificate authority is essentially a self-signed root certificate. This root certificate is used to

respond to new certificate requests to create a signed certificate. In this case, W24 is both the CA

and the originator of the certificate request, so no identity verification issues exist. In a more

typical situation, however, a CA can only be trusted if it performs sufficient background checks

into the originator of the certificate request to verify its identity.

1. Set the OPENSSL_CONF system environment variable to point to the newly created

configuration file.

• On Linux\Unix, type the following:

OPENSSL_CONF=/testCA/CAcnf.ca

export OPENSSL_CONF

• On Windows, type the following:

set OPENSSL_CONF=C:\testCA\CAcnf.ca

2. Enter the command for generating the self-signed root certificate (all text is a single

command typed on one line):

openssl req -x509 -newkey rsa:1024 -out cacert.pem -outform

PEM

3. You are prompted to enter a PEM pass phrase. This is your password to the CA private key.

It is essential for the security of the system that both this password and the CA private key

are kept secret.

An encrypted caprivkey.pem file, which is the private key for the CA is now stored under the

private sub-directory. The self-signed cacert.pem file is stored under the top-level testCA

directory.

The cacert.pem certificate can be used to sign new certificate requests as detailed in the following

steps. Alternatively, the cacert.pem certificate can be used as-is in a server system if the single

level hierarchy is considered sufficient.

The cacert.pem certificate has to be loaded into W24's CA parameter to enable W24 to trust and

communicate securely with servers whose certificate is cacert.pem or that use certificates signed

with cacert.pem.

Signing a Certificate with a CA Certificate

Creating a Certificate Request

Now that the CA has been created, you can use it to sign new certificates. In this example, W24

plays the role of the CA, the certificate subject, and the end-user of the certificate, so no trust

issues exist. A typical process, however, involves communication between the certificate subject

(you) and a trusted CA. Usually someone wishing to issue certificates to end-users would

generate a certificate request file and submit it to the administrators of a CA. Once the

administrators of the CA have determined the request to be valid, a self-signed root certificate

would be used to sign the certificate request and create a new certificate to be returned to the

originator of the request, and eventually to the end-user.

1. Reset the OPENSSL_CONF environment variable to the default openssl.cnf file. Generating

a request has nothing to do with a CA before it is actually submitted. It is safe to point

OPENSSL_CONF to the default configuration file because it will force the request