10: Security Settings
XPort AR User Guide
90
SSL Certificates and Private Keys
You can obtain a certificate by completing a certificate request and sending it to a certificate
authority that will create a certificate/key combo, usually for a fee. Or generate your own. A few
utilities exist to generate self-signed certificates or sign certificate requests. The XPort AR also has
the ability to generate its own self-signed certificate/key combo.
You can use XML to export the certificate in PEM format, but you cannot export the key. Hence the
internal certificate generator can only be used for certificates that are to identify that particular
XPort AR.
Certificates and private keys can be stored in several file formats. Best known are PKCS12, DER
and PEM. Certificate and key can be in the same file or in separate files. The key can be encrypted
with a password or not. The XPort AR currently only accepts separate PEM files. The key needs to
be unencrypted.
SSL Utilities
Several utilities exist to convert between the formats as follows:
OpenSSL—Open source set of SSL related command line utilities. It can act as server or
client. It can generate or sign certificate requests. It can convert all kinds of formats.
Executables are available for Linux and Windows. To generate a self-signed RSA certificate/
key combo use the following commands in the order shown:
openssl req –x509 –nodes –days 365 –newkey rsa:1024 –keyout
mp_key.pem –out mp_cert.pem
Note:
Signing other certificate requests is also possible with OpenSSL. See
www.openssl.org
or
www.madboa.com/geek/openssl
for more information.
Steel Belted Radius—Commercial radius server by Juniper Networks that provides a GUI
administration interface. It also provides a certificate request and self-signed certificate
generator. The self-signed certificate has extension .sbrpvk and is in the PKCS12 format.
OpenSSL can convert this into a PEM format certificate and key by usig the following
commands in the order shown:
openssl pkcs12 -in sbr_certkey.sbrpvk -nodes -out sbr_certkey.pem
The sbr_certkey.pem file contains both certificate and key. If loading the SBR certificate into
XPort AR as an authority, you will need to edit it. Open the file in any plain text editor. Delete
all info before the following:
“----- BEGIN CERTIFICATE-----“
and after
“----- END CERTIFICATE-----“
and save as sbr_cert.pem. SBR accepts trusted-root certificates in the DER format. Again,
OpenSSL can convert any format into DER by using the following commands in the order
shown:
openssl x509 -inform pem -in mp_cert.pem -outform der -out
mp_cert.der