Versions Compared

Old Version 1

changes.mady.by.user Tobias Kaupat

Saved on

compared with

New Version 2

changes.mady.by.user Tobias Kaupat

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning

Do not send the resulting private key file platform.key to anyone.

Create CSR

The following files need to be created next to the platform.key file.

Create a file named csr-settings.sh with the following content:

Code Block
titlecsr-settings.sh
# Settings file for CSR
# Adjust according to server.

# C: Country, 2 letter code, upper case. examples: "DE", "BG", "CH"
export C="DE"
# ST: State or Province Name, e.g. "Hamburg", "Maryland", "Zug"
export ST="Hamburg"
# O: Organisation, e.g.: "Lobaro GmbH", "Example Corp."
export O="Lobaro GmbH"
# CN: Common Name, the Domain the platform runs on, e.g., "platform.lobaro.com"
# Can also be an IP address (only do this in secure environments where the IP will never change, e.g. in you VPN)
export CN="backend.lobaro.com"

Create a file names locert-csr.sh with the following content:

Code Block
#!/bin/bash

# abort on any error
set -e

#
KEY="platform.key"
# name of the file the CSR settings are put:
SETTINGS="csr-settings.sh"

function abort {
  echo "Abort."
  exit
}

# check if key exists
if [[ ! -f "$KEY" ]]; then
  echo "Key file '$KEY' missing."
  echo "run 'openssl ecparam -name prime256v1 -genkey -noout -out $KEY' to create key."
  echo "run 'openssl ecparam -name prime256v1 -genkey -noout | openssl ec -aes256 -out $KEY' to create encrypted key."
  abort
fi

# check if key is key
if [[ $(file -b "$KEY") != "PEM EC private key" ]]; then
  echo "Key file '$KEY' does not seem to be EC private key."
  abort
fi

# if settings file is missing
if [[ ! -f $SETTINGS ]]; then
  echo "csr-settings missing, please create '${SETTINGS}"
  exit
fi

echo "loading CSR settings from ${SETTINGS}"
. ./${SETTINGS}

# verify settings
GOOD=1
if [[ ! $C =~ ^[A-Z]{2}$ ]]; then
  echo "C must two upper case letters."
  GOOD=0
fi
if [[ ! $ST =~ ^[^/=]+$ ]]; then
  echo "ST is invalid."
  GOOD=0
fi
if [[ ! $O =~ ^[^/=]+$ ]]; then
  echo "O is invalid."
  GOOD=0
fi
if [[ ! $CN =~ ^[a-z0-9\-]+(\.[a-z0-9]+)+$ ]]; then
  echo "CN is invalid. '${CN}'"
  GOOD=0;
fi
if [[ $GOOD != 1 ]]; then
  echo "Please fix ${SETTINGS}."
  abort
fi

# Prepare CSR
SUBJ="/C=${C}/ST=${ST}/O=${O}/CN=${CN}"
echo "Subject is '${SUBJ}'"
CSR="${CN}.csr"

# Generate CSR
echo "Generating CSR in ${CSR}."
openssl req -new -key platform.key -sha256 -subj "${SUBJ}" -out "${CSR}"

Option a)

Update "-subj" parameter according to you server and organisation.

  • C is Country Name: e.g. C=DE
  • ST is State or Province Name (full name): e.g. ST=Hamburg
  • O is Organization Name (eg, company): e.g. O=Lobaro GmbH
  • CN is Common Name (e.g. server FQDN or YOUR name): e.g. CN=up.lobaro.com
    • The CN must match your domain that is configured in the devices. It can also be an IP address.


Code Block
openssl req -new -key platform.key -sha256 -subj "/C=DE/ST=Hamburg/O=Lobaro GmbH/CN=backend.lobaro.de" -out "platform.csr"

Verify your request with:

Code Block
openssl req -in platform.csr -text

...

Request Certificate from Lobaro
...