Creating Security Certificates for TLS Mutual Authentication
This section explains how to create self-signed security certificates for mutual authentication.
|
Notes:
|
This section explains how to create self-signed security certificates for mutual authentication.
|
Notes:
|
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -days 2048 -out ca.pem
Enter the information regarding the certificate.
This information is known as a Distinguished Name (DN).
An important field in the DN is the Common Name(CN), which should be the exact Fully Qualified Domain Name (FQDN) of the host, with which you intend to use the certificate.
Apart from the Common Name, all other fields are optional and you can skip it.
If you purchase an SSL certificate from a certificate authority, it is often required that these additional fields, such as "Organization", accurately reflect your organization's details.
Best Practice - We recommend to use the device IP address as the Common Name.
openssl genrsa -out cp_client.key 2048
openssl req -new -key cp_client.key -out cp_client.csr
openssl x509 -req -in cp_client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out cp_client.crt -days 2048 -sha256
openssl pkcs12 -inkey cp_client.key -in cp_client.crt -export -out cp_client.p12
The challenge phrase used in this conversion is required in the cp_client TLS configuration.
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.crt -days 2048 -sha256
Some SIEM applications require the server certification to be in a specific format. For more information, refer to SIEM Specific Instructions section (sk122323).