background image

Generating SSH Keys and SSL

Certificates for ROS and ROX

Using Windows

AN22

Application Note

6/2013

Introduction

1

Installing OpenSSL on

Windows

2

Installing the Scripts

3

Using Scripts to Create SSL

Certificates

4

Using the Scripts to Create

SSH Keys for ROS

5

Adding a Root CA Certificate

to the List of Trusted Root

CAs

6

PEM Formatted Certificates

and Keys

7

Generating a Certificate

from a Certificate Request in

Windows 2008 CA

8

Frequently Asked Questions

(FAQs)

9

Summary of Contents for ROS

Page 1: ...on Windows 2 Installing the Scripts 3 Using Scripts to Create SSL Certificates 4 Using the Scripts to Create SSH Keys for ROS 5 Adding a Root CA Certificate to the List of Trusted Root CAs 6 PEM Formatted Certificates and Keys 7 Generating a Certificate from a Certificate Request in Windows 2008 CA 8 Frequently Asked Questions FAQs 9 ...

Page 2: ...red trademark of Siemens AG OpenNMS is a registered trademark of The OpenNMS Group Inc Microsoft Windows XP and Microsoft Windows 7 are registered trademarks of Microsoft Corporation in the United States and other countries Other designations in this manual might be trademarks whose use by third parties for their own purposes would infringe the rights of the owner Security Information Siemens prov...

Page 3: ...ine Hosting the Scripts Becomes the Root CA 7 4 2 Scenario 2 The CA Resides Elsewhere 9 4 3 Scenario 3 Self Signed Device Certificates 11 Chapter 5 Using the Scripts to Create SSH Keys for ROS 15 Chapter 6 Adding a Root CA Certificate to the List of Trusted Root CAs 17 Chapter 7 PEM Formatted Certificates and Keys 19 Chapter 8 Generating a Certificate from a Certificate Request in Windows 2008 CA ...

Page 4: ...Table of Contents RUGGEDCOM Application Note iv ...

Page 5: ...lf signed certificates or certificates signed by a Certificate Authority CA This document will make the Windows machine a Certificate Authority CA and sign certificates IMPORTANT Normally the steps involved in creating the private key and creating the Certificate Signing Request CSR are the ones that will be performed if a Certificate Chain of Trust is implemented in the organization The CSR files...

Page 6: ...RUGGEDCOM Application Note Chapter 1 Introduction 2 ...

Page 7: ...owing 1 Download the OpenSSL Setup program without sources for Windows from http gnuwin32 sourceforge net packages openssl htm 2 Double click the downloaded file and install OpenSSL During the installation process change the installation directory to C OpenSSL This is essential for the scripts to generate the certificates and keys properly ...

Page 8: ...RUGGEDCOM Application Note Chapter 2 Installing OpenSSL on Windows 4 ...

Page 9: ...talling the Scripts To install the scripts extract the contents of the Zip file AN22 zip obtained from Siemens into an appropriate location on the script machine the computer server that hosts the scripts A folder titled RCKeyGen will be placed in the chosen location ...

Page 10: ...RUGGEDCOM Application Note Chapter 3 Installing the Scripts 6 ...

Page 11: ...CA Resides Elsewhere Section 4 3 Scenario 3 Self Signed Device Certificates Section 4 1 Scenario 1 The Machine Hosting the Scripts Becomes the Root CA In the first scenario the machine that hosts the scripts is the Root CA and it directly issues keys and certificates for the ROS and ROX devices In this case the certificate requests generated for each device will be signed by the Root CA which is a...

Page 12: ...tificates are to be generated The script will take the list of addresses and use them as the Common Name parameter in the Distinguished name field i e the Subject Identifier in an X 509 certificate The script can take both IP addresses and DNS names for the switches The list must have some addresses for the script to generate certificates NOTE Setting the Common Name IP address DNS address correct...

Page 13: ...re information about uploading the certificates refer to the User Guide for the device Section 4 2 Scenario 2 The CA Resides Elsewhere In this scenario it is assumed that a CA has already been established in the organization which can be used to accept certificate requests from the computer that hosts the scripts and signs the certificates for ROS and ROX devices In this case the script will simpl...

Page 14: ... 2 Certificate Authorities CAs 3 Certificate 4 Certificate Request 5 Script Machine 6 ROS ROX Compatible Certificate 7 ROS ROX Devices 1 Navigate to the RCKeyGen folder on the script machine and open the file config txt in a text editor NOTE Do not use the default the parameters provided in the config txt file They are provided as an example only 2 Make sure CREATE_ROOTCA equals 0 ...

Page 15: ...click the script 02_ssl_device_certgen vbs to generate a certificate signing request for each device listed in device_data txt When the script asks if the certificates need to be self signed click No The SSL_certs folder now has both keys and Certificate Signing Requests for the ROS ROX devices The CSRs need to be exported to and signed by the organizational CA 8 Generate certificates from the Cer...

Page 16: ...s The list must have some addresses for the script to generate certificates NOTE Setting the Common Name IP address DNS address correctly will make sure browsers do not complain about the certificate Common Name not matching the URL The switch will also have to be accessed using the DNS name or the IP address that was provided in device_data txt Configuring an IP address for the Common Name and th...

Page 17: ...ert the certificates into PEM format and clean up any files that were created by the scripts The finished certificates are available in the SSL_certs folder and named according to their associated device as defined in device_data txt 6 Upload the certificates to their respective devices For more information about uploading the certificates refer to the User Guide for the device ...

Page 18: ...RUGGEDCOM Application Note Chapter 4 Using Scripts to Create SSL Certificates Scenario 3 Self Signed Device Certificates 14 ...

Page 19: ...ses one per line for devices for which SSH keys are to be generated The script can take both IP addresses and DNS names The list must have some addresses for the script to generate keys 3 Save and close the file NOTE For Windows XP scripts should be launched through the command prompt in the same order as described in this procedure 4 Double click the script 4_ssh_keygen vbs The keys are generated...

Page 20: ...RUGGEDCOM Application Note Chapter 5 Using the Scripts to Create SSH Keys for ROS 16 ...

Page 21: ... trusted Certificate Authority To prevent this warning message in Internet Explorer perform the following procedure to add a Root CA certificate to the trusted Root CA list NOTE This procedure is only applicable when device certificates are signed by a CA For more information about signing device certificates refer to Section 4 1 Scenario 1 The Machine Hosting the Scripts Becomes the Root CA and S...

Page 22: ...screen instructions to locate the root certificate file and make sure it is placed in the Trusted Root Certification Authorities store When finished a security warning will be displayed Click Yes to acknowledge 6 Acknowledge all other messages and close all dialog boxes 7 In Internet Explorer open a Web session to the device The warning message should not appear ...

Page 23: ...OLlJVR0dFRENPTS5MT0NBTDEkMCIGCSqGSIb3DQEJ ARYVc3VwcG9ydEBydWdnZWRjb20uY29tMB4XDTEyMTAyMzIxMTA1M1oXDTE3MTAy MjIxMTA1M1owgZwxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdPbnRhcmlvMRAwDgYD VQQHEwdDb25jb3JkMRIwEAYDVQQKEwlSdWdnZWRDb20xGTAXBgNVBAsTEEN1c3Rv bWVyIFN1cHBvcnQxFDASBgNVBAMTCzE5Mi4xNjguMS4yMSQwIgYJKoZIhvcNAQkB FhVTdXBwb3J0QHJ1Z2dlZGNvbS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ AoGBALfE4eh2aY CE3W5a4Wz1Z1RGRP02...

Page 24: ...kT9Ngjh7ded8BRa1PP3xUFzYSp UIq5QB2zU0UsHE0fGRWqYr8GA4r59KIDhhV5J2D dIL9qCGklWNPBamZCVu 4N5M 5L Ga8N5lv3AbGSfEsiiyA38uNNR5B6QzpXuTbEBUq84hlD4wDiL78eKwIDAQAB AoGBAI2CXHuHg23wuk9zAusoOhw0MN1 M1jYz0k9aajIvvdZT3Tyd29yCADy8GwA eUmoWXLS C4CcBqPa9til8ei3rDn w8dveVHsi9FXjtVSYqN ilKw moMAjZy4kN kpdpHMohwv 909VWR1AZbr YTxaG tKl5bqXnZl4wHF8xAkEA5vwut8USRg2 TndOt1e8ILEQNHvHQdQr2et xNH4ZEo7mqot6skkCD1xmxA6XG64h...

Page 25: ...icate in a windows 2008 server 1 Copy and paste the CSR file generated in the script machine to any folder in your CA In this example the CSR files are copied to C 2 Click Start select Administrative Tools and click Certificate Authority The certsrv window appears Figure 6 Certsrv Window This window lists all of the domains that are part of the root CA 3 Right click the domain for which a certific...

Page 26: ...Select the CSR file and click Open 5 Navigate to the Pending Requests folder If the certificate request is uploaded properly the request will appear in this folder Figure 8 Pending Requests Folder 6 When the request has been received right click the request select All Tasks and click Issue The request is signed by the CA and the certificate is issued ...

Page 27: ...g a Certificate from a Certificate Request in Windows 2008 CA 23 Figure 9 Issuing the Certificate 7 Navigate to the Issued Certificates folder Figure 10 Issued Certificates Folder 8 Double click on the certificate The Certificate dialog box appears ...

Page 28: ...meters are correct and then click Copy to File The Certificate Export Wizard dialog box appears Figure 12 Certificate Export Wizard 11 Follow the on screen instructions and note the following When the wizard asks which format to use select Base 64 encoded X 509 CER Make sure the name of the final certificate is consistent with the name of the device as defined in device_data txt For example if the...

Page 29: ...he SSL_certs folder 13 Make sure a matching key file is present in the SSL_certs folder 14 Double click the script 03_ssl_formatting vbs to convert the certificates into PEM format and clean up any files that were created by the scripts The finished certificates are available in the SSL_certs folder and named according to their associated device as defined in device_data txt ...

Page 30: ...RUGGEDCOM Application Note Chapter 8 Generating a Certificate from a Certificate Request in Windows 2008 CA 26 ...

Page 31: ...ficate for a device has to be regenerated after expiry refer to one of the three scenarios depending on your setup described in the SSL certificates section of this document Open the SSL_certs folder and delete the expired device certificates if necessary and then open the device_data txt file to add new device name When creating certificates for new devices if you do not want to recreate device c...

Page 32: ...RUGGEDCOM Application Note Chapter 9 Frequently Asked Questions FAQs 28 ...

Reviews: