Creating certificates manually
Creating a root certificate
A root certificate can be issued by a certification authority and is stored on a USB drive or token, or you can create one yourself by following the instructions below.
The root certificate uploaded to Kaspersky IoT Secure Gateway 1000 will be used later to verify the administrator certificate and user certificate when connecting to the Kaspersky IoT Secure Gateway 1000 web interface.
A root certificate must be created on a trusted device in a secure environment ensuring that the device has no vulnerabilities and no Internet access.
Below is an example of using the OpenSSL utility to create a root certificate. For detailed information on using the utility, refer to the OpenSSL documentation.
To create a root certificate using the OpenSSL tool:
- In the console, start the OpenSSL tool by running the following command:
openssl req -x509 -newkey rsa:4096 -keyout cert_key.pem -out cert.pem -days 365 -subj "/C=RU/ST=Moscow/L=Moscow/O=SomeOrganization/OU=SomeUnit/emailAddress=test@example.com/CN=KISGAuthCert" -extensions v3_ca
where:
-x509– setting that indicates creation of a self-signed certificate. In this case, the standard public key infrastructure of the SSL and TLS protocols is used to manage keys and certificates.-newkey– setting that indicates the need to create a new certificate and a new key at the same time.rsa:4096– setting that defines the type and length of the key. When this setting is applied, a key will be created using the RSA encryption algorithm with a length of 4096 bits.-keyout cert_key.pem– name of the file where the private key of the created certificate is saved.-out cert.pem– name of the file where the created certificate is saved.-days 365– this setting defines the validity term of the created root certificate.-subj– in this group of settings the registration information about the company that issued the certificate must be specified.
- Enter and confirm the password for the private certificate key. The password must differ from the default certificate password.
As a result, the following two files are created in the directory where the command was executed:
- cert.pem: root certificate file
- cert_key.pem: root certificate private key
The newly created cert.pem root certificate file must be uploaded, if the root certificate needs to be updated.
Creating an administrator certificate and user certificate
An administrator certificate and user certificate can be created from a previously generated root certificate.
The administrator certificate and user certificate uploaded to Kaspersky IoT Secure Gateway 1000 will then be used to connect to the Kaspersky IoT Secure Gateway 1000 web interface.
Below is an example of using the OpenSSL utility to create an administrator certificate or user certificate. For detailed information on using the utility, refer to the OpenSSL documentation.
To create an administrator certificate or user certificate using the OpenSSL tool:
- To create a new certificate, run the OpenSSL utility in the console by executing the following command:
openssl req -new -newkey rsa:4096 -keyout TlsClientAdminKey.pem -out TlsClientAdmin.csr
- To sign the certificate with the previously generated root certificate, run the following command and enter the password for the root certificate private key:
openssl x509 -req -days 365 -in TlsClientAdmin.csr -CA cert.pem -CAkey cert_key.pem -CAcreateserial -out TlsClientAdmin.crt -extensions v3_req
The new certificate file in CRT format is needed for updating the administrator certificate or user certificate.
- To create an archive containing the new certificate and private key, run the following command:
openssl pkcs12 -export -in TlsClientAdmin.crt -inkey TlsClientAdminKey.pem -out TlsClientAdmin.p12 -name TlsClientAdmin -descert -nomaciter
The new archive file in P12 format must be uploaded to the browser when connecting to the Kaspersky IoT Secure Gateway 1000 web interface.
