Generating SSH Keys and SSL Certificates for ROS and ROX Using Windows AN22 6/2013 Introduction 1 Installing OpenSSL on Windows 2 Installing the Scripts 3 Using Scripts to Create SSL Certificates 4 Using the Scripts to Create SSH Keys for ROS 5 Adding a Root CA Certificate to the List of Trusted Root CAs 6 PEM Formatted Certificates and Keys 7 Generating a Certificate from a Certificate Request in Windows 2008 CA 8 Frequently Asked Questions (FAQs) 9
Copyright 2013 RuggedCom Inc. All rights reserved. Dissemination or reproduction of this document, or evaluation and communication of its contents, is not authorized except where expressly permitted. Violations are liable for damages. All rights reserved, particularly for the purposes of patent application or trademark registration. This document contains proprietary information, which is protected by copyright. All rights are reserved. No part of this document may be photocopied, reproduced or translated to another language without the prior written consent of RuggedCom Inc. Disclaimer Of Liability Siemens has verified the contents of this manual against the hardware and/or software described. However, deviations between the product and the documentation may exist. Siemens shall not be liable for any errors or omissions contained herein or for consequential damages in connection with the furnishing, performance, or use of this material. The information given in this document is reviewed regularly and any necessary corrections will be included in subsequent editions. We appreciate any suggested improvements. We reserve the right to make technical improvements without notice. Registered Trademarks ROX, Rugged Operating System On Linux, CrossBow and elan are trademarks of Siemens AG. ROS is a registered trademark of Siemens AG. OpenNMS is a registered trademark of The OpenNMS Group, Inc. Microsoft Windows XP and Microsoft Windows 7 are registered trademarks of Microsoft Corporation in the United States and other countries. Other designations in this manual might be trademarks whose use by third parties for their own purposes would infringe the rights of the owner. Security Information Siemens provides automation and drive products with industrial security functions that support the secure operation of plants or machines. They are an important component in a holistic industrial security concept. With this in mind, our products undergo continuous development. We therefore recommend that you keep yourself informed with respect to our product updates. Please find further information and newsletters on this subject at: http://support.automation.siemens.com. To ensure the secure operation of a plant or machine it is also necessary to take suitable preventive action (e.g. cell protection concept) and to integrate the automation and drive components into a state-of-the-art holistic industrial security concept for the entire plant or machine. Any third-party products that may be in use must also be taken into account. Please find further information at: http://www.siemens.com/ industrialsecurity. Contacting Siemens Address Siemens AG Industry Sector 300 Applewood Crescent Concord, Ontario Canada, L4K 5C7 ii Telephone Toll-free: 1 888 264 0006 Tel: +1 905 856 5288 Fax: +1 905 856 1995 E-mail RuggedSales@RuggedCom.com Web www.ruggedcom.com
Table of Contents Table of Contents Chapter 1 Introduction... 1 Chapter 2 Installing OpenSSL on Windows... 3 Chapter 3 Installing the Scripts... 5 Chapter 4 Using Scripts to Create SSL Certificates... 7 4.1 Scenario 1: The Machine Hosting the Scripts Becomes the Root CA... 7 4.2 Scenario 2: The CA Resides Elsewhere... 9 4.3 Scenario 3: Self-Signed Device Certificates... 11 Chapter 5 Using the Scripts to Create SSH Keys for ROS... 15 Chapter 6 Adding a Root CA Certificate to the List of Trusted Root CAs... 17 Chapter 7 PEM Formatted Certificates and Keys... 19 Chapter 8 Generating a Certificate from a Certificate Request in Windows 2008 CA... 21 Chapter 9 Frequently Asked Questions (FAQs)... 27 iii
Table of Contents iv
Chapter 1 Introduction Introduction ROS (beginning with ROS v3.12.1 and onwards) and ROX can accept SSL certificates and SSH keys created externally. This document, along with some useful scripts developed by Siemens, is intended to help users working with Microsoft Windows to generate their own keys and certificates for their ROS and/or ROX devices. The Microsoft Windows Operating System has a Certificates Management console. However, the nature of key creation and export is not particularly suitable for ROS/ROX purposes. A separate key and certificate generation application is required. There are many free, open source applications, such as OpenSSH and PuTTygen, that can create keys and certificates. The instructions in this document utilize OpenSSL, a free cryptography toolkit, to generate both SSH and SSL keys, as well as SSL certificates. ROS and ROX will accept self-signed certificates or certificates signed by a Certificate Authority (CA). This document will make the Windows machine a Certificate Authority (CA) and sign certificates. IMPORTANT! Normally, the steps involved in creating the private key and creating the Certificate Signing Request (CSR) are the ones that will be performed if a Certificate Chain of Trust is implemented in the organization. The CSR files are then submitted to the appropriate department for it to be signed by a CA. Once the certificate is issued, it is then uploaded to the device in the required format. When certificates are self-signed, the trust (identity establishment) part of SSL cannot work because each server is essentially its own CA. For the purpose of security, it is recommended that a proper Chain of Trust is implemented for SSL. This document describes: How to generate SSL certificates and SSH keys for ROS using Siemens scripts How to generate SSL keys and certificates for ROX using Siemens scripts How to import certificates on Windows machines so the SSL certificates provided by these devices can be verified properly 1
Chapter 1 Introduction 2
Chapter 2 Installing OpenSSL on Windows Installing OpenSSL on Windows To install OpenSSL on Windows, do the following: 1. Download the OpenSSL Setup program (without sources) for Windows from http://gnuwin32.sourceforge.net/ packages/openssl.htm. 2. Double-click the downloaded file and install OpenSSL. During the installation process, change the installation directory to C:\OpenSSL\. This is essential for the scripts to generate the certificates and keys properly. 3
Chapter 2 Installing OpenSSL on Windows 4
Chapter 3 Installing the Scripts Installing the Scripts To install the scripts, extract the contents of the Zip file (AN22.zip) obtained from Siemens into an appropriate location on the script machine (the computer/server that hosts the scripts). A folder titled RCKeyGen will be placed in the chosen location. 5
Chapter 3 Installing the Scripts 6
Chapter 4 Using Scripts to Create SSL Certificates Using Scripts to Create SSL Certificates The scripts provided by Ruggedcom can be used in three different infrastructure scenarios. Section 4.1, Scenario 1: The Machine Hosting the Scripts Becomes the Root CA Section 4.2, Scenario 2: The CA Resides Elsewhere Section 4.3, Scenario 3: Self-Signed Device Certificates Section 4.1 Scenario 1: The Machine Hosting the Scripts Becomes the Root CA In the first scenario, the machine that hosts the scripts is the Root CA and it directly issues keys and certificates for the ROS and ROX devices. In this case the certificate requests generated for each device will be signed by the Root CA, which is also generated on the same machine hosting the scripts. NOTE The Root CA s certificate and private key will also be created and need to be protected after issuing the certificates. Scenario 1: The Machine Hosting the Scripts Becomes the Root CA 7
Chapter 4 Using Scripts to Create SSL Certificates 1 2 3 Figure 1: Scenario 1 1. Root Certificate Authority (CA) 1. 2. Certificate 3. ROS/ROX Devices Navigate to the RCKeyGen folder on the script machine and open the file config.txt in a text editor. NOTE Do not use the default parameters provided in the config.txt file. They are provided as an example only. 2. 3. Make sure CREATE_ROOTCA equals 1. Update the other parameters with relevant values. 4. Save and close the file. 5. Open the file device_data.txt in a text editor and replace the current content with a list of addresses (one per line) for devices for which certificates are to be generated. The script will take the list of addresses and use them as the Common Name parameter in the Distinguished name field (i.e. the Subject Identifier in an X.509 certificate). The script can take both IP addresses and DNS names for the switches. The list must have some addresses for the script to generate certificates. NOTE Setting the Common Name (IP address/dns address) correctly will make sure browsers do not complain about the certificate Common Name not matching the URL. The switch will also have to be accessed using the DNS name or the IP address that was provided in device_data.txt. Configuring an IP address for the Common Name and then accessing the unit with a DNS name (or vice versa) will cause the browser to complain. 6. Save and close the file. NOTE For Windows XP, scripts should be launched through the command prompt in the same order as described in this procedure. 8 Scenario 1: The Machine Hosting the Scripts Becomes the Root CA
Chapter 4 Using Scripts to Create SSL Certificates 7. Double-click the script 1_ssl_root_CA_certgen.vbs to generate the root certificate. 8. Double-click the script 02_ssl_device_certgen.vbs to generate a certificate for each device listed in device_data.txt and have them signed by the Root CA. When the script asks if the certificates need to be self-signed, click No. 9. Double-click the script 03_ssl_formatting.vbs to convert the certificates into PEM format and clean up any files that were created by the scripts. The finished certificates are available in the SSL_certs folder and named according to their associated device, as defined in device_data.txt. 10. Upload the created certificates to their respective devices. For more information about uploading the certificates, refer to the User Guide for the device. Section 4.2 Scenario 2: The CA Resides Elsewhere In this scenario, it is assumed that a CA has already been established in the organization, which can be used to accept certificate requests from the computer that hosts the scripts and signs the certificates for ROS and ROX devices. In this case, the script will simply generate a key and a corresponding certificate request, which will then have to be submitted to the CA for a certificate to be issued. Once the certificates have been issued, the certificate files will have to be copied to the SSL_certs folder (where the keys and the original signing requests are still present). Once the certificates are placed in the SSL_certs folder, a script needs to be executed to convert the certificates into PEM format, which is compatible with ROS devices. NOTE For examples of PEM formatted certificates and keys, refer to Chapter 7, PEM Formatted Certificates and Keys. Scenario 2: The CA Resides Elsewhere 9
Chapter 4 Using Scripts to Create SSL Certificates 1 2 3 4 5 6 7 Figure 2: Scenario 2 1. Root Certificate Authority (CA) 2. Certificate Authorities (CAs) ROX Compatible Certificate 7. ROS/ROX Devices 1. 3. Certificate 4. Certificate Request 5. Script Machine 6. ROS/ Navigate to the RCKeyGen folder on the script machine and open the file config.txt in a text editor. NOTE Do not use the default the parameters provided in the config.txt file. They are provided as an example only. 2. 10 Make sure CREATE_ROOTCA equals 0. Scenario 2: The CA Resides Elsewhere
Chapter 4 Using Scripts to Create SSL Certificates 3. Update the other parameters with relevant values. 4. Save and close the file. 5. Open the file device_data.txt in a text editor and replace the current content with a list of addresses (one per line) for devices for which certificates are to be generated. The script will take the list of addresses and use them as the Common Name parameter in the Distinguished name field (i.e. the Subject Identifier in an X.509 certificate). The script can take both IP addresses and DNS names for the switches. The list must have some addresses for the script to generate certificates. NOTE Setting the Common Name (IP address/dns address) correctly will make sure browsers do not complain about the certificate Common Name not matching the URL. The switch or router will also have to be accessed using the DNS name or the IP address that was provided in device_data.txt. Configuring an IP address for the Common Name and then accessing the unit with a DNS name (or vice versa) will cause the browser to complain. 6. Save and close the file. NOTE For Windows XP, scripts should be launched through the command prompt in the same order as described in this procedure. 7. Double-click the script 02_ssl_device_certgen.vbs to generate a certificate signing request for each device listed in device_data.txt. When the script asks if the certificates need to be self-signed, click No. The SSL_certs folder now has both keys and Certificate Signing Requests for the ROS/ROX devices. The CSRs need to be exported to and signed by the organizational CA. 8. Generate certificates from the Certificate Signing Requests. For more information, refer to Chapter 8, Generating a Certificate from a Certificate Request in Windows 2008 CA. 9. Copy the certificates issued by the CA to the SSL_certs folder. 10. Double-click the script 03_ssl_formatting.vbs to convert the certificates into PEM format and clean up any files that were created by the scripts. The finished certificates are available in the SSL_certs folder and named according to their associated device, as defined in device_data.txt. 11. Upload the certificates to their respective devices. For more information about uploading the certificates, refer to the User Guide for the device. Section 4.3 Scenario 3: Self-Signed Device Certificates In this scenario, each device certificate is signed by itself. If a CA has not been established in the organization or a Root CA in the host computer is not desirable, perform the following steps to generate self-signed device certificates that are signed by themselves. NOTE It is recommended to get the certificates for each device signed by a trusted Certificate Authority. Scenario 3: Self-Signed Device Certificates 11
Chapter 4 Using Scripts to Create SSL Certificates 1 3 2 Figure 3: Scenario 3 1. Script Machine 2. Certificate 3. ROS/ROX Devices 1. Navigate to the RCKeyGen folder on the script machine and open the file device_data.txt in a text editor. 2. Replace the current content with a list of addresses (one per line) for devices for which certificates are to be generated. The script will take the list of addresses and use them as the Common Name parameter in the Distinguished name field (i.e. the Subject Identifier in an X.509 certificate). The script can take both IP addresses and DNS names for the switches. The list must have some addresses for the script to generate certificates. NOTE Setting the Common Name (IP address/dns address) correctly will make sure browsers do not complain about the certificate Common Name not matching the URL. The switch will also have to be accessed using the DNS name or the IP address that was provided in device_data.txt. Configuring an IP address for the Common Name and then accessing the unit with a DNS name (or vice versa) will cause the browser to complain. 3. Save and close the file. NOTE For Windows XP, scripts should be launched through the command prompt in the same order as described in this procedure. 4. 12 Double-click the script 02_ssl_device_certgen.vbs to generate a certificate for each device listed in device_data.txt and have them signed by the Root CA. When the script asks if the certificates need to be self-signed, click Yes. Scenario 3: Self-Signed Device Certificates
Chapter 4 Using Scripts to Create SSL Certificates 5. Double-click the script 03_ssl_formatting.vbs to convert the certificates into PEM format and clean up any files that were created by the scripts. The finished certificates are available in the SSL_certs folder and named according to their associated device, as defined in device_data.txt. 6. Upload the certificates to their respective devices. For more information about uploading the certificates, refer to the User Guide for the device. Scenario 3: Self-Signed Device Certificates 13
Scenario 3: Self-Signed Device Certificates Chapter 4 Using Scripts to Create SSL Certificates 14
Chapter 5 Using the Scripts to Create SSH Keys for ROS Using the Scripts to Create SSH Keys for ROS The generation of SSH keys is a single step process. NOTE For information on how to regenerate SSH keys for ROX, refer to the ROX User Guide for the device. 1. Navigate to the RCKeyGen folder on the script machine and open the file device_data.txt in a text editor. 2. Replace the current content with a list of addresses (one per line) for devices for which SSH keys are to be generated. The script can take both IP addresses and DNS names. The list must have some addresses for the script to generate keys. 3. Save and close the file. NOTE For Windows XP, scripts should be launched through the command prompt in the same order as described in this procedure. 4. Double-click the script 4_ssh_keygen.vbs. The keys are generated and saved in the SSH_keys folder. 5. The keys are now available for upload in the SSH_keys folder. 6. Upload the keys to their respective ROS devices. For more information about uploading the keys, refer to the latest ROS User Guide for your device. 15
Chapter 5 Using the Scripts to Create SSH Keys for ROS 16
Chapter 6 Adding a Root CA Certificate to the List of Trusted Root CAs Adding a Root CA Certificate to the List of Trusted Root CAs In order for a certificate to be trusted, and often for a secure connection to be established, the certificate must have been issued by a CA that is included in the trusted store of the device that is connecting. If it is not in the list when a Web session to the device is opened, a warning message may appear stating the security certificate presented by the website was not issued by a trusted Certificate Authority. To prevent this warning message in Internet Explorer, perform the following procedure to add a Root CA certificate to the trusted Root CA list: NOTE This procedure is only applicable when device certificates are signed by a CA. For more information about signing device certificates, refer to Section 4.1, Scenario 1: The Machine Hosting the Scripts Becomes the Root CA and Section 4.2, Scenario 2: The CA Resides Elsewhere. 1. Open Internet Explorer. 2. Under Tools, click Internet Options. 3. Select the Content tab and click Certificates. The Certificates dialog box appears. Figure 4: Certificates Dialog Box 4. Select the Trusted Root Certification Authorities tab and click Import. The Certificate Import Wizard dialog box appears. 17
Chapter 6 Adding a Root CA Certificate to the List of Trusted Root CAs Figure 5: Certificate Import Wizard Dialog Box 18 5. Follow the on-screen instructions to locate the root certificate file and make sure it is placed in the Trusted Root Certification Authorities store. When finished, a security warning will be displayed. Click Yes to acknowledge 6. Acknowledge all other messages and close all dialog boxes. 7. In Internet Explorer, open a Web session to the device. The warning message should not appear.
Chapter 7 PEM Formatted Certificates and Keys PEM Formatted Certificates and Keys The following is an example of a PEM formatted SSH key: -----BEGIN RSA PRIVATE KEY----MIICXAIBAAKBgQC3xOHodmmPghN1uWuFs9WdURkT9Ngjh7ded8BRa1PP3xUFzYSp UIq5QB2zU0UsHE0fGRWqYr8GA4r59KIDhhV5J2D/dIL9qCGklWNPBamZCVu+4N5M 5L//Ga8N5lv3AbGSfEsiiyA38uNNR5B6QzpXuTbEBUq84hlD4wDiL78eKwIDAQAB AoGBAI2CXHuHg23wuk9zAusoOhw0MN1/M1jYz0k9aajIvvdZT3Tyd29yCADy8GwA eumowxls/c4ccbqpa9til8ei3rdn/w8dvevhsi9fxjtvsyqn+ilkw+momajzy4kn /kpdphmohwv/909vwr1azbr+ytxag/++tkl5bqxnzl4whf8xakea5vwut8usrg2/ TndOt1e8ILEQNHvHQdQr2et/xNH4ZEo7mqot6skkCD1xmxA6XG64hR3BfxFSZcew Wr4SOFGCtQJBAMurr5FYPJRFGzPM3HwcpAaaMIUtPwNyTtTjywlYcUI7iZVVfbdx 4B7qOadPybTg7wqUrGVkPSzzQelz9YCSSV8CQFqpIsEYhbqfTLZEl83YjsuaE801 xbivawlit0b2tvm2o7zsdog5fv4i990v+mgrqrtmexshvmechtknbcm7hh0cqe6b 2WUfLArDMJ8hAoRczeU1nipXrIh5kWWCgQsTKmUrafdEQvdpT8ja5GpX2Rp98eaU NHfI0cP36JpCdome2eUCQDZN9OrTgPfeDIXzyOiUUwFlzS1idkUGL9nH86iuPnd7 WVF3rV9Dse30sVEk63Yky8uKUy7yPUNWldG4U5vRKmY= -----END RSA PRIVATE KEY----- The following is an example of a PEM formatted SSL certificate: -----BEGIN CERTIFICATE----MIIC9jCCAl+gAwIBAgIJAJh6rrehMt3iMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYD VQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEQMA4GA1UEBxMHQ29uY29yZDESMBAG A1UEChMJUnVnZ2VkY29tMRkwFwYDVQQLExBDdXN0b21lciBTdXBwb3J0MSYwJAYD VQQDEx1XUy1NSUxBTkdPVkFOLlJVR0dFRENPTS5MT0NBTDEkMCIGCSqGSIb3DQEJ ARYVc3VwcG9ydEBydWdnZWRjb20uY29tMB4XDTEyMTAyMzIxMTA1M1oXDTE3MTAy MjIxMTA1M1owgZwxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYD VQQHEwdDb25jb3JkMRIwEAYDVQQKEwlSdWdnZWRDb20xGTAXBgNVBAsTEEN1c3Rv bwvyifn1chbvcnqxfdasbgnvbamtcze5mi4xnjgums4ymsqwigyjkozihvcnaqkb FhVTdXBwb3J0QHJ1Z2dlZGNvbS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ AoGBALfE4eh2aY+CE3W5a4Wz1Z1RGRP02COHt153wFFrU8/fFQXNhKlQirlAHbNT RSwcTR8ZFapivwYDivn0ogOGFXknYP90gv2oIaSVY08FqZkJW77g3kzkv/8Zrw3m W/cBsZJ8SyKLIDfy401HkHpDOle5NsQFSrziGUPjAOIvvx4rAgMBAAGjLDAqMAkG A1UdEwQCMAAwHQYDVR0OBBYEFER0utgQOifnrflnDtsqNcnvRB0XMA0GCSqGSIb3 DQEBBQUAA4GBAHtBsNZuh8tB3kdqR7Pn+XidCsD70YnI7w0tiy9yiRRhARmVXH8h 5Q1rOeHceri3JFFIOxIxQt4KgCUYJLu+c9Esk/nXQQar3zR7IQCt0qOABPkviiY8 c3ibvbhjjlpr2vnw4xraj+hknntbog1xulp4vomj2syyzr+7xay/op/s -----END CERTIFICATE----- The following is an example of the combined certificate and key format used by both ROS and ROX: -----BEGIN CERTIFICATE----MIIC9jCCAl+gAwIBAgIJAJh6rrehMt3iMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYD VQQGEwJDQTEQMA4GA1UECBMHT250YXJpbzEQMA4GA1UEBxMHQ29uY29yZDESMBAG A1UEChMJUnVnZ2VkY29tMRkwFwYDVQQLExBDdXN0b21lciBTdXBwb3J0MSYwJAYD VQQDEx1XUy1NSUxBTkdPVkFOLlJVR0dFRENPTS5MT0NBTDEkMCIGCSqGSIb3DQEJ ARYVc3VwcG9ydEBydWdnZWRjb20uY29tMB4XDTEyMTAyMzIxMTA1M1oXDTE3MTAy MjIxMTA1M1owgZwxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYD VQQHEwdDb25jb3JkMRIwEAYDVQQKEwlSdWdnZWRDb20xGTAXBgNVBAsTEEN1c3Rv bwvyifn1chbvcnqxfdasbgnvbamtcze5mi4xnjgums4ymsqwigyjkozihvcnaqkb FhVTdXBwb3J0QHJ1Z2dlZGNvbS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ 19
Chapter 7 PEM Formatted Certificates and Keys AoGBALfE4eh2aY+CE3W5a4Wz1Z1RGRP02COHt153wFFrU8/fFQXNhKlQirlAHbNT RSwcTR8ZFapivwYDivn0ogOGFXknYP90gv2oIaSVY08FqZkJW77g3kzkv/8Zrw3m W/cBsZJ8SyKLIDfy401HkHpDOle5NsQFSrziGUPjAOIvvx4rAgMBAAGjLDAqMAkG A1UdEwQCMAAwHQYDVR0OBBYEFER0utgQOifnrflnDtsqNcnvRB0XMA0GCSqGSIb3 DQEBBQUAA4GBAHtBsNZuh8tB3kdqR7Pn+XidCsD70YnI7w0tiy9yiRRhARmVXH8h 5Q1rOeHceri3JFFIOxIxQt4KgCUYJLu+c9Esk/nXQQar3zR7IQCt0qOABPkviiY8 c3ibvbhjjlpr2vnw4xraj+hknntbog1xulp4vomj2syyzr+7xay/op/s -----END CERTIFICATE---------BEGIN RSA PRIVATE KEY----MIICXAIBAAKBgQC3xOHodmmPghN1uWuFs9WdURkT9Ngjh7ded8BRa1PP3xUFzYSp UIq5QB2zU0UsHE0fGRWqYr8GA4r59KIDhhV5J2D/dIL9qCGklWNPBamZCVu+4N5M 5L//Ga8N5lv3AbGSfEsiiyA38uNNR5B6QzpXuTbEBUq84hlD4wDiL78eKwIDAQAB AoGBAI2CXHuHg23wuk9zAusoOhw0MN1/M1jYz0k9aajIvvdZT3Tyd29yCADy8GwA eumowxls/c4ccbqpa9til8ei3rdn/w8dvevhsi9fxjtvsyqn+ilkw+momajzy4kn /kpdphmohwv/909vwr1azbr+ytxag/++tkl5bqxnzl4whf8xakea5vwut8usrg2/ TndOt1e8ILEQNHvHQdQr2et/xNH4ZEo7mqot6skkCD1xmxA6XG64hR3BfxFSZcew Wr4SOFGCtQJBAMurr5FYPJRFGzPM3HwcpAaaMIUtPwNyTtTjywlYcUI7iZVVfbdx 4B7qOadPybTg7wqUrGVkPSzzQelz9YCSSV8CQFqpIsEYhbqfTLZEl83YjsuaE801 xbivawlit0b2tvm2o7zsdog5fv4i990v+mgrqrtmexshvmechtknbcm7hh0cqe6b 2WUfLArDMJ8hAoRczeU1nipXrIh5kWWCgQsTKmUrafdEQvdpT8ja5GpX2Rp98eaU NHfI0cP36JpCdome2eUCQDZN9OrTgPfeDIXzyOiUUwFlzS1idkUGL9nH86iuPnd7 WVF3rV9Dse30sVEk63Yky8uKUy7yPUNWldG4U5vRKmY= -----END RSA PRIVATE KEY----- 20
Chapter 8 Generating a Certificate from a Certificate Request in Windows 2008 CA Generating a Certificate from a Certificate Request in Windows 2008 CA If there is an existing windows certificate server in the organization, perform the following procedure to generate the certificate in a windows 2008 server: 1. Copy and paste the CSR file generated in the script machine to any folder in your CA. In this example the CSR files are copied to C:\. 2. Click Start, select Administrative Tools and click Certificate Authority. The certsrv window appears. Figure 6: Certsrv Window This window lists all of the domains that are part of the root CA. 3. Right-click the domain for which a certificate will be generated, select All Tools and click Submit New Request. The Open Request File dialog box appears. 21
Chapter 8 Generating a Certificate from a Certificate Request in Windows 2008 CA Figure 7: Open Request File Dialog Box 4. Select the CSR file and click Open. 5. Navigate to the Pending Requests folder. If the certificate request is uploaded properly, the request will appear in this folder. Figure 8: Pending Requests Folder 6. 22 When the request has been received, right-click the request, select All Tasks and click Issue. The request is signed by the CA and the certificate is issued.
Chapter 8 Generating a Certificate from a Certificate Request in Windows 2008 CA Figure 9: Issuing the Certificate 7. Navigate to the Issued Certificates folder. Figure 10: Issued Certificates Folder 8. Double-click on the certificate. The Certificate dialog box appears. 23
Chapter 8 Generating a Certificate from a Certificate Request in Windows 2008 CA Figure 11: Certificate Dialog Box 9. Click the Details tab. This displays the distinguished name parameters for the certificate. 10. Verify the distinguished name parameters are correct and then click Copy to File. The Certificate Export Wizard dialog box appears. Figure 12: Certificate Export Wizard 11. Follow the on-screen instructions and note the following: When the wizard asks which format to use, select Base-64 encoded X.509 (.CER). Make sure the name of the final certificate is consistent with the name of the device as defined in device_data.txt. For example, if the device hostname is 172.30.129.9, the file should be named 172.30.129.9.crt. 24
Chapter 8 Generating a Certificate from a Certificate Request in Windows 2008 CA Figure 13: Export File Format Screen 12. Copy the certificate to the SSL_certs folder. 13. Make sure a matching *.key file is present in the SSL_certs folder. 14. Double-click the script 03_ssl_formatting.vbs to convert the certificates into PEM format and clean up any files that were created by the scripts. The finished certificates are available in the SSL_certs folder and named according to their associated device, as defined in device_data.txt. 25
Chapter 8 Generating a Certificate from a Certificate Request in Windows 2008 CA 26
Chapter 9 Frequently Asked Questions (FAQs) Frequently Asked Questions (FAQs) Q: What should I do if my root CA s certificate has expired or I have a new root CA in my organization? A: If the existing root CA s certificate has expired or if you want to sign all of your existing device certificates using a new root CA, then all the device certificates has to be replaced with a new certificate signed by the new root CA. Follow the steps described in scenario 1 or scenario 2 (depending on your setup) to generate the root CA certificate and device certificate. Upload the new device certificates to ROS devices. Q: How should I replace a device certificate after expiry or how should I generate a certificate for a new device? A: If there is a new device in your organization which has to be signed or if a certificate for a device has to be regenerated after expiry, refer to one of the three scenarios (depending on your setup) described in the SSL certificates section of this document. Open the ` SSL_certs` folder and delete the expired device certificates if necessary and then open the `device_data.txt` file to add new device name. When creating certificates for new devices if you do not want to recreate device certificates for the existing devices for which certificates were previously created and uploaded, you can delete the old device names from the device_data.txt. Note that if you need to follow scenario 1 and you already have a valid Root CA in the SSL_certs folder, there is no need to run 1_ssl_root_CA_certgen.vbs script to generate a Root CA and in this case set the value for the `CREATE_ROOTCA=1` in the config.txt. Follow all of the remaining steps described in the test scenarios. Q: Do I need to use these scripts or OpenSSL? Is there another approach? A: Customers are free to use any key/certificate generation software they choose. 27
Chapter 9 Frequently Asked Questions (FAQs) 28