You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

CoAPs

Devices can used secure CoAPs connections to the backend. To use CoAPs a Certificate signed by Lobaro is required.


The setup consists of the following steps:

  1. Create a Certificate Signing Request (CSR)
  2. Request a Certificate from Lobaro
  3. Install the signed Certificate in the Platform


Create a Certificate Signing Request (CSR)

Create Private Key

The key must be created at the Platform server and should never leave the system.

openssl ecparam -name prime256v1 -genkey -noout -out platform.key

Do not send the resulting private key file platform.key to anyone.

Create CSR

The following files need to be created next to the platform.key file.

Create a file named csr-settings.sh with the following content:

csr-settings.sh
# Settings file for CSR
# Adjust according to server.

# C: Country, 2 letter code, upper case. examples: "DE", "BG", "CH"
export C="DE"
# ST: State or Province Name, e.g. "Hamburg", "Maryland", "Zug"
export ST="Hamburg"
# O: Organisation, e.g.: "Lobaro GmbH", "Example Corp."
export O="Lobaro GmbH"
# CN: Common Name, the Domain the platform runs on, e.g., "platform.lobaro.com"
# Can also be an IP address (only do this in secure environments where the IP will never change, e.g. in you VPN)
export CN="backend.lobaro.com"

Create a file names locert-csr.sh with the following content:

#!/bin/bash

# abort on any error
set -e

#
KEY="platform.key"
# name of the file the CSR settings are put:
SETTINGS="csr-settings.sh"

function abort {
  echo "Abort."
  exit
}

# check if key exists
if [[ ! -f "$KEY" ]]; then
  echo "Key file '$KEY' missing."
  echo "run 'openssl ecparam -name prime256v1 -genkey -noout -out $KEY' to create key."
  echo "run 'openssl ecparam -name prime256v1 -genkey -noout | openssl ec -aes256 -out $KEY' to create encrypted key."
  abort
fi

# check if key is key
if [[ $(file -b "$KEY") != "PEM EC private key" ]]; then
  echo "Key file '$KEY' does not seem to be EC private key."
  abort
fi

# if settings file is missing
if [[ ! -f $SETTINGS ]]; then
  echo "csr-settings missing, please create '${SETTINGS}"
  exit
fi

echo "loading CSR settings from ${SETTINGS}"
. ./${SETTINGS}

# verify settings
GOOD=1
if [[ ! $C =~ ^[A-Z]{2}$ ]]; then
  echo "C must two upper case letters."
  GOOD=0
fi
if [[ ! $ST =~ ^[^/=]+$ ]]; then
  echo "ST is invalid."
  GOOD=0
fi
if [[ ! $O =~ ^[^/=]+$ ]]; then
  echo "O is invalid."
  GOOD=0
fi
if [[ ! $CN =~ ^[a-z0-9\-]+(\.[a-z0-9]+)+$ ]]; then
  echo "CN is invalid. '${CN}'"
  GOOD=0;
fi
if [[ $GOOD != 1 ]]; then
  echo "Please fix ${SETTINGS}."
  abort
fi

# Prepare CSR
SUBJ="/C=${C}/ST=${ST}/O=${O}/CN=${CN}"
echo "Subject is '${SUBJ}'"
CSR="${CN}.csr"

# Generate CSR
echo "Generating CSR in ${CSR}."
openssl req -new -key platform.key -sha256 -subj "${SUBJ}" -out "${CSR}"


  • Execute locert-csr.sh
  • Send the created *.csr to lobaro.


Request Certificate from Lobaro

Send the CSR to support@lobaro.de to receive a valid certificate for your Server.


Install the signed Certificate in the Platform

Not yet documented, we are happy to help you out via Mail and Phone.


  • No labels