Self-signed Certificate and Private Key

This method is used only in the commissioning environment.

Before executing the following script, ensure that OpenSSL 1.1.1 has been installed. Run the following commands:

cd ${HOME}

openssl rand -writerand .rnd

You can copy and modify the following content to make a shell script. After the shell script is executed, the certificate and private key are generated in the current directory. The tuning is available only after the certificate and private key are copied to the development environment and operating environment respectively.

DEVICE_IP=10.174.229.196 # your device ip
HOST_IP=10.175.85.66 # your host ip
PASS_PHRASE=Ncx12345 # your pass phrase
KEY_LEN=3072 # [3072, 4096]
VALID_DAYS=365 # the cert will expire after the valid days
COUNTRY=CN # your country name abbr. (2 letter code)
STATE=Zhejiang # your province name
LOCATION=Hangzhou # your city name
ORGANIZATION=ABC # your company name
ORGANIZATION_UNIT=DEF # your section name
COMMON_NAME_ROOT=www.test.com # your domain name
ENCRYPT_MODE=aes256 # [aes256, aes128]

########### The preceding content can be modified as required, while the following content should not be modified. ##########

#generate conf
rm -rf host-ext.cnf  device-ext.cnf
echo "[ ext ]" >> host-ext.cnf
echo "subjectAltName=IP:${HOST_IP}" >> host-ext.cnf
echo "[ ext ]" >> device-ext.cnf
echo "subjectAltName=IP:${DEVICE_IP}" >> device-ext.cnf
 
#generate root cert
openssl req -x509 -newkey rsa:${KEY_LEN} -days ${VALID_DAYS} -nodes -keyout ca-key.pem -out ca-cert.pem -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/OU=${ORGANIZATION_UNIT}/CN=${COMMON_NAME_ROOT}" -addext keyUsage=keyCertSign
 
#generate device cert request
openssl req -newkey rsa:${KEY_LEN} -nodes -keyout device-key.pem -out device-cert.csr -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/OU=${ORGANIZATION_UNIT}/CN=NCS"
#generate device cert
openssl x509 -req -in device-cert.csr -days ${VALID_DAYS} -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out device-cert.pem -extensions ext -extfile device-ext.cnf
 
#generate host cert request
openssl req -newkey rsa:${KEY_LEN} -nodes -keyout host-key.pem -out host-cert.csr -subj "/C=${COUNTRY}/ST=${STATE}/L=${LOCATION}/O=${ORGANIZATION}/OU=${ORGANIZATION_UNIT}/CN=NCA"
#generate host cert
openssl x509 -req -in host-cert.csr -days ${VALID_DAYS} -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out host-cert.pem -extensions ext -extfile host-ext.cnf
 
#encryt private key
openssl rsa -in host-key.pem -passout pass:${PASS_PHRASE} -${ENCRYPT_MODE} -out host-key.pem
openssl rsa -in device-key.pem -passout pass:${PASS_PHRASE} -${ENCRYPT_MODE} -out device-key.pem

The generated files are described as follows. You need to copy the CA, certificate, and private key to the correct device strictly according to Table 1.

**Table 1** File description
File Name	Description
ca-cert.pem	Root CA, which needs to be copied to the development environment and operating environment.
host-key.pem	Private key, which needs to be copied to the development environment.
host-cert.pem	Certificate, which needs to be copied to the development environment.
device-key.pem	Private key, which needs to be copied to the operating environment.
device-cert.pem	Certificate, which needs to be copied to the operating environment.
ca-key.pem	Intermediate process file, which can be ignored.
ca-cert.srl	Intermediate process file, which can be ignored.
host-cert.csr	Intermediate process file, which can be ignored.
device-cert.csr	Intermediate process file, which can be ignored.
host-ext.cnf	Intermediate process file, which can be ignored.
device-ext.cnf	Intermediate process file, which can be ignored.

Parent topic: Configuring the Key Certificate