Creating an administrator certificate

The TLS protocol (Transport Layer Security) is a secure protocol that uses encryption to transfer data in local networks and on the Internet. The TLS protocol is used in web applications to create secure connections between a client application and a web server.

The TLS protocol is used in Kaspersky IoT Secure Gateway 1000 to set up a secure communication channel between the Kaspersky IoT Secure Gateway 1000 web server and the browser that the user uses to connect to the Kaspersky IoT Secure Gateway 1000 web interface. When first connecting to the Kaspersky IoT Secure Gateway 1000 web interface, you must create and upload an administrator certificate. The uploaded administrator certificate will then be used for subsequent user authentication when connecting to the Kaspersky IoT Secure Gateway 1000 web interface again.

An administrator certificate must be created on a trusted device in a secure environment ensuring that the device has no vulnerabilities and no Internet access.

You can use the OpenSSL tool to create an administrator certificate.

To create an administrator certificate using the OpenSSL tool:

1. In the console, start the OpenSSL tool and run the following command:

   openssl req -x509 -newkey rsa:4096 -keyout cert_key.pem -out cert.pem -days 365 \

   -subj "/C=RU/ST=Moscow/L=Moscow/O=SomeOrganization/OU=SomeUnit/emailAddress=test@example.com/CN=KISGAuthCert" \

   -extensions v3_ca

   where:

   • -x509 – setting that indicates creation of a self-signed certificate. In this case, the standard public key infrastructure of the SSL and TLS protocols is used to manage keys and certificates.
   • -newkey – setting that indicates the need to create a new certificate and a new key at the same time.
   • rsa:4096 – setting that defines the type and length of the key. When this setting is applied, a key will be created using the RSA encryption algorithm with a length of 4096 bits.
   • -keyout cert_key.pem – name of the file where the private key of the created certificate is saved.
   • -out cert.pem – name of the file where the created certificate is saved.
   • -days 365 – this setting defines the validity term of the created administrator certificate.
   • -subj – in this group of settings the following registration information about the company that issued the certificate must be specified:
     • C – country where the company is registered.
     • ST – region where the company is registered.
     • L – city where the company is registered.
     • O – name of the company.
     • OU – name of the organizational unit within the company.
     • emailAddress – company email address.
     • CN – certificate name.
2. Enter and confirm the password for the private certificate key.

   As a result, the following two files are created in the directory where the command was executed:

   • cert.pem – administrator certificate file.
   • cert_key.pem – private key of the administrator certificate.

   The created administrator certificate file cert.pem must be loaded during the first authorization in Kaspersky IoT Secure Gateway 1000 web interface.

3. Run the following command in the console:

   openssl pkcs12 -export -in cert.pem -inkey cert_key.pem -out cert.p12 -name "cert_key"

4. Enter the password that you specified in step 2 of these instructions.

   As a result, the private key file cert.p12 of the administrator certificate is created in the directory where the command was executed.

   The created private key file cert.p12 of the administrator certificate must be added in the browser that you use to connect to the Kaspersky IoT Secure Gateway 1000 web interface. For more details about adding a private key file to your browser, please refer to the relevant documentation on the browser you are using.