SNAP PAC Security Certificates for Node-RED

SSL Certificates

HTTPS and SSL are used to create an encrypted and secure connection to the PAC Control REST API on a SNAP PAC controller. To use these technologies, you must create and install certificates. You can easily create your own certificates using the OpenSSL command-line tool

Creating Self-Signed Certificates

The simplest approach is to use a self-signed certificate. You must do this for each SNAP PAC controller, as the keys and certificates must be unique to each IP address.

In the following instructions, a placeholder IP address of 10.20.30.40 is used, but should always be replaced with the IP address of the SNAP PAC controller.

The instructions are geared towards Windows users, but are easily adapted to OSX or Linux users.

1. Create a directory in which you’ll create your certificates.

2. Customize the OpenSSL configuration file.

   Note: To use a static IP address, Node-RED requires an additional setting that can be created only by modifying the OpenSSL configuration file. Most clients do not require this, but the Node.js platform is more stringent and closely follows the relavant specifications.
   1. Copy the default OpenSSL configuration file to your working directory.
      • On Windows, the default location is c:\OpenSSL-Win32\bin\openssl.cfg
      • On Linux, it’s often at /etc/ssl/openssl.cnf
   2. Rename the file to include the IP address of the controller, such as openssl.10.20.30.40.cfg.
   3. Open your copy of the configuration file in WordPad or any text editor other than Notepad. Even on Windows, the line endings in the configuration file are Unix-style and not usable in Notepad.
   4. Search for [ v3_ca ], which is the section that needs an extra setting.
   5. Just below the [ v3_ca ] section, add the following line, except use the controller’s IP address instead of 10.20.30.40:

      subjectAltName=IP:10.20.30.40
      

   6. Save the file

3. Generate a self-signed certificate.

   From a command line, enter the following command, being careful to replace all the IP addresses with the specific one for your SNAP PAC controller.

   "c:\OpenSSL-Win32\bin\openssl.exe" req -nodes -newkey rsa:2048 -keyout privkey.10.20.30.40.key -out cert.10.20.30.40.crt -x509 -days 3650 -config openssl.10.20.30.40.cfg
   

   This command will ask you several questions, as shown below. Most fields can be left blank, but you must correctly enter the SNAP PAC’s IP address for Common Name (e.g. server FQDN or YOUR name), as shown in green below.

   Generating a 2048 bit RSA private key
   ...............+++
   ............+++
   writing new private key to 'privkey.192.168.1.121.key'
   -----
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [AU]:US
   State or Province Name (full name) [Some-State]:CA
   Locality Name (eg, city) []:Temecula
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:ACME Corp
   Organizational Unit Name (eg, section) []:Engineering
   Common Name (e.g. server FQDN or YOUR name) []:</b></span>10.20.30.40
   Email Address []:youremail@whatever.com
   

4. Convert the private key to the proper format.

   SNAP PAC controllers require the private key in a different format than the default format. It is easily converted with the following instruction:

   "c:\OpenSSL-Win32\bin\openssl.exe" rsa -in privkey.10.20.30.40.key -out privkey.10.20.30.40.key
   

Next Step

Continue to installing the certificates.