Certificate Files Creation (PKI)

The following section walks through the process to create a Certificate Authority (CA) and a key-pair for a DXL client.

Steps 5 through 7 below should be repeated for each DXL client that is going to connect to the DXL fabric.

Windows

  1. Download and install Open SSL for Windows
  1. Open Command Prompt and set OpenSSL environment variables
  • Open a command prompt (Start > Run > cmd.exe)

  • Set the following environment variables (adjust OpenSSL path based on your install location):

    C:\>set OPENSSL_BIN=c:\OpenSSL-Win32\bin
    
    C:\>set PATH=%OPENSSL_BIN%;%PATH%
    
    C:\>set OPENSSL_CONF=%OPENSSL_BIN%\openssl.cfg
    

    These environment variables could also be permanently defined in your computer settings.

  • The following steps must take place in this command prompt.

  1. Create and change to directory for output files
  • Create directory:

    c:\>mkdir c:\certificates
    
  • Change to output directory:

    c:\>cd c:\certificates
    
  1. Create Certificate Authority (CA)
  • Create the certificate authority (CA):

    c:\certificates>openssl req -new -x509 -days 365 -extensions v3_ca -keyout ca.key -out ca.crt
    
  • Fill out the required information:

    Generating a 2048 bit RSA private key
    ..............................................................+++
    ..............................................................+++
    writing new private key to 'ca.key'
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:Oregon
    Locality Name (eg, city) []:Hillsboro
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Intel
    Organizational Unit Name (eg, section) []:ISECG-CA
    Common Name (e.g. server FQDN or YOUR name) []:John Doe
    Email Address []:john.doe@intel.com
    
  • At this point you have created the Certificate Authority's private key ca.key and certificate ca.crt.

    • Remember the PEM pass phrase you entered when creating the private key (this is necessary when signing client certificates).
    • Protect the Certificate Authority private key (ca.key).
  1. Provision a key-pair for a DXL Client (Python)
  • Generate a Private Key for the client:

    c:\certificates>openssl genrsa -out client.key 2048
    
  • The following should be displayed:

    Generating RSA private key, 2048 bit long modulus
    .......................+++
    ..................................................+++
    e is 65537 (0x10001)
    
  • Create a Certificate Signing Request (CSR) for the client:

    c:\certificates>openssl req -out client.csr -key client.key -new
    
  • Fill out the required information

    The "challenge password" can be blank (the default)

    NOTE: The "Organizational Unit Name" entered must not be the same as the "Organizational Unit Name" entered in Step #4 (Create Certificate Authority):

    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:Oregon
    Locality Name (eg, city) []:Hillsboro
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Intel
    Organizational Unit Name (eg, section) []:ISECG-Client
    Common Name (e.g. server FQDN or YOUR name) []:John Doe
    Email Address []:john.doe@intel.com
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    
  1. Sign the Certificate Signing Request (CSR)
  • Have the Certificate Authority (CA) sign the signing request (CSR):

    c:\certificates>openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365
    
  • When prompted, enter the CA PEM pass phrase from Step #4, above. You should see output similar to the following:

    Signature ok
    subject=/C=US/ST=Oregon/L=Hillsboro/O=Intel/OU=ISECG-Client/CN=John Doe/emailAddress=john.doe@intel.com
    Getting CA Private Key
    Enter pass phrase for ca.key:
    
  • At this point you will have a certificate client.crt and an associated private key client.key for use with a DXL client.

  • These files are specified as cert_file and private_key parameters when constructing a dxlclient.client_config.DxlClientConfig instance.

    These files can also be specified via a configuration file used to instantiate a dxlclient.client_config.DxlClientConfig instance.

    See the dxlclient.client_config.DxlClientConfig.create_dxl_config_from_file() method for more information.

  1. Validate Certificate (Optional)
  • The following command can be used to ensure the client certificate is valid for the certificate authority:

    c:\certificates>openssl verify -verbose -CAfile ca.crt client.crt
    
  • If the certificate is valid, you should see the following output:

    client.crt: OK
    

Linux

The steps for Linux-based platforms are very similar to those listed for Windows above.

Installation of OpenSSL for the various Linux platforms is outside the scope of this document.