Create your own certificates with OpenSSL
There are various options for creating certificates yourself. We use OpenSSL as an example here.
Installing OpenSSL under Windows
OpenSSL for Windows can be downloaded here: https://slproweb.com/products/Win32OpenSSL.html.
After installation, certificates can be created directly using the "OpenSSL Command Prompt". If you want to use OpenSSL in the normal Windows Terminal or Windows Power Shell, two entries must be set in the environment variables:
Create a new system variable:
Variable name: OPENSSL_CONF
Variable value: Target location/folder + \bin\openssl.cfg
(e.g. C:\Program Files\OpenSSL-Win64\bin\openssl.cfg)
Edit the path variable and add a new entry from the OpenSSL path:
Check the installation of OpenSSL in the Windows terminal:
Installing OpenSSL under Linux (Debian derivatives)
OpenSSL under Linux is provided by the package manager. With sudo apt install openssl OpenSSL version located in the package manager is installed.
The latest version can be downloaded and installed with the following commands:
Locate the latest version on the download page: https://openssl-library.org/source/.
Download file: wget https://www.openssl.org/source/openssl-3.3.1.tar.gz
In the event of a certificate error, this can be bypassed with wget --no-check-certificate <url>.
Unpack the package: tar -zxvf openssl-3.3.1.tar.gz
Switch to the folder: cd openssl-3.3.1
Install Build essentials: sudo apt install build-essential
Build OpenSSL:
./Configure
make
sudo make install
Creating your own certificates
To create your own certificates, first switch to the folder where the certificates are to be created.
Various attributes are transferred to the certificates in the following commands. The attributes mean the following:
- C = Country
- ST = State or Province
- L = Locality
- O = Organization Name
- OU = Organizational Unit Name
- CN = Common Name
A CA certificate and the corresponding key can be created with the following commands:
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1825 -out rootCA.pem -subj "/C=CH/ST=Bern/L=Lyssach/CN=SQL4automation/O=Inasoft"
Es wird dadurch eine Zertifikat rootCA.pem und ein dazugehöriger Private Key rootCA.key erstellt.
A private key and a certificate for a connection via localhost that is valid for 1825 days and is signed with the rootCA:
openssl genrsa -out server_localhost.key 2048
openssl req -new -key server_localhost.key -out server_localhost.csr -subj "/C=CH/ST=Bern/L=Lyssach/CN=127.0.0.1/O=Inasoft"
openssl x509 -req -in server_localhost.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server_localhost.crt -days 1825 -sha256
A private key that is protected by a password and a certificate for a connection via localhost that is valid for 1825 days and is signed with the rootCA:
openssl genrsa -aes256 -passout stdin -out client_localhost_pass.key 2048
openssl req -new -key client_localhost_pass.key -out client_localhost_pass.csr -subj "/C=CH/ST=Bern/L=Lyssach/CN=127.0.0.1/O=Inasoft"
openssl x509 -req -in client_localhost_pass.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out client_localhost_pass.crt -days 1825 -sha256
The certificates must be copied to the following locations:
- Content of the CA certificate in the known_hosts file under ...\certs\CA\
- All certificates including private keys for the connector must be copied to the folder ...\certs\S4AConnector.
- All certificates including private keys for the connector must be copied to the folder ...\certs\S4AQueryTool.
All certificates for PLCs and robot controllers must be loaded into the certificate manager of the controllers.