Setting up your own self signed root CA is useful if you want to set up your own Apache or Nginx Server with a mutual authentication scheme which allows the server to validate the client. Additionally, some IoT cloud server frameworks offer the option to use client certificates issued against a self signed root CA.
In this tutorial, we’ll show you how to generate your own self signed root CA and how to generate client certificates which use the keys from an IoT SBC with an installed Zymkey.
This assumes that the CA is running Linux on another computer (or virtual machine). Best practices dictate that this computer should be isolated from the outside world. In reality what this might mean is that other entities cannot get to this other computer via networking.
The first thing to do is create the directory where the root CA lives, then change to that directory. We’ll place this directory in the user’s home directory,
mkdir -p ~/myCA cd ~/myCA
Next, we’ll generate an ECDSA key pair for the CA. This keypair will be NIST-P256, the same curve type used by Zymkey 4i:
openssl ecparam -name prime256v1 -genkey -noout -out ca.key
Finally, we’ll generate the root CA certificate. Answer all the questions for your particular organizational specifics:
openssl req -x509 -new -SHA256 -nodes -key ca.key -days 3650 -out ca.crt
-days parameter can be changed to suit your needs. The example above specifies an expiration date of 10 years from the time of generation.
That’s it! You now have a root CA that can be used to generate client certificates for mutual auth. If you are running an Apache or Nginx server, you would probably also create the server certificate from here as well. We won’t cover this as most people will want to use a more popular cloud server framework like AWS IoT or Microsoft Azure.
On your client Zymkey-equipped Raspberry Pi, you’ll need to generate a CSR. Check out Generating a Certificate Signing Request (CSR) Using Zymkey. After your CSR has been generated, you’ll need to move it over to the machine with your root CA.
Next, generate the certificate against your root CA. Assuming that the CSR is named
myClientCert.csr and the cert will be named
openssl x509 -req -in myClientCert.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out myClientCert.crt
Copy the resulting certificate back to the appropriate place on your client Pi and, as needed, to your cloud framework account.
That’s it! Happy TLS’ing!