Go back to the procedure overview

1. Update and Download the Certificate Signing Request (CSR)

  1. In groov Manage navigate to the security menu and open Server SSL. Select Create Certificate under Certificate Management and fill in the details.
    • This is especially important if you have changed the EPIC hostname, it must exactly match the hostname used to access the device.
      (e.g. foo.opto22.com if accessed via a fully qualified host name, or foo if accessed via host name only without the domain name. Another option is to create a wildcard certificate *.opto22.com that can be installed on all devices accessed via a fully qualified hostname in opto22.com. This way you’d only have to sign one certificate and then install that same certificate and matching private key on all devices.)
  2. As well as updating the hostname, creating a new certificate gives you the opportunity to change the key encryption length and expiration. Also while the only required fields are hostname and country code (US for the United States), you may want to associate the SSL server with your organization, department, city, state, and country. Once everything is filled in click create in the top right.

  3. Choose the option to download CSR.

2. Create the Certificate Authority (CA) Certificate and Signing Key

Linux and Apple Systems

On Linux or Apple systems you can simply use the OpenSSL command line tool to create your local CA.

  1. openssl genrsa -des3 -out CA.key 2048
    • This command generates a CA key file CA.key, you may choose a different filename but make sure you take care of this file!
    • Anyone who gets ahold of the key file can create and sign certificates that will be trusted by all clients that the associated CA certificate is installed on. Keep it secret, keep it safe.
    • It will prompt you for a password to protect the key, make sure you keep a secure record of this password since you will need it in order to sign additional requests later.
  2. openssl req -x509 -new -nodes -key CA.key -sha256 -days 3650 -out CA.pem
    • To create a CA certificate file CA.pem that is associated with your key. This file will be installed on all clients that will be securely connecting with your groov EPIC.
  3. openssl x509 -req -in csr.pem -CA CA.pem -CAkey CA.key -CAcreateserial -out opto.crt -days 3650 -sha256 -extfile opto.ext
    • To sign your CSR you must provide the CA key, which I simply called CA.key for this example, an output certificate filename, opto.crt in this case, and an extension file that will be specific to your device. You need the extension file to set the Subject Alternate Name (SAN), which should match your device’s hostname from step 1 exactly. Use this opto.ext file as a template for your extension file, and be sure to update the alternate name DNS.
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

DNS = opto-01-02-03

Windows Systems

On Windows systems you may either find an OpenSSL toolkit for windows and use the commands above, or use an alternative; X - Certificate and Key management (XCA) is a windows program that can make a certificate authority and sign certificates through a graphical user interface.

  1. Download and install XCA.
  2. In the file menu choose the option to create a new database to hold this data, and set a password. Make sure you keep a secure record of this password since you will need it in order to sign additional requests later.
  3. Go into settings under file, options. Change the default hash algorithm to SHA 256.
  4. Select the Certificates tab then choose New Certificate on the right hand side.
    • In the Source tab set the signing option to “create a self signed certificate”, make sure that the signature algorithm defaults to SHA 256, then select [default] CA as the certificate template and click apply extensions.
    • In the subject tab fill in the property names you want associated with your Certificate Authority. This key will be responsible for signing both the client and server certificates, so keep that in mind. Once everything is filled in choose generate a new key. In the following popup the default RSA key type and 2048 bit key size are likely what you want.
    • In the extensions tab you can change the time range. I recommend consulting with IT about this number, but I chose to set mine for 10 years.
    • Click ok to create your local root CA.
  5. Select the Certificates signing requests tab and choose import on the right hand side.
    • Navigate to the csr.pem file downloaded from the PR1 and open it.
    • It should be added to the list on this tab, right click it and select sign.
    • In the source tab set the signing option to “use this certificate for signing” and choose the CA you just made. Set the template for the new certificate to [default] HTTPS_Server and apply extensions, this will handle the Subject Alternate Name (SAN) for you!
    • In the extensions tab you again have the option to set the time range for the certificate. With that done hit ok to create your signed certificate.
  6. Select the Certificates tab, left click on your local CA to expand it.
    • With the CA still selected choose export on the right, and set the export format to PEM (*.crt).
    • Select the signed server certificate and then choose export on the right. Set the export format for this file to be Pem chain (*.pem).
  7. A quirk with this method is that it puts two certificates in the server *.pem file. Open it in a text editor and remove the second certificate, starting half way through with -----BEGIN CERT... until the end of the document. Make sure that there are exactly five dashes taken out at either end, and that you leave five dashes at ...END CERTIFICATE----- to close the first certificate. Save the changes.


Next steps

Continue to Add certificates to system / browser and SSL server (steps 3, 4, & 5) or go back to the procedure overview

Or go to EPIC Developer Overview Home