SSL Certificates

HTTPS and SSL are used to create an encrypted and secure connection to a controller’s REST API. To use these technologies, you must create and install certificates. You can easily create your own certificates using the OpenSSL command-line tool

Creating Self-Signed Certificates

The simplest approach is to use a self-signed certificate. You must do this for each PAC controller, as the keys and certificates must be unique to each IP address.

In the following instructions, a placeholder IP address of 10.20.30.40 is used, but should always be replaced with the IP address of the PAC controller.

The instructions are geared towards Windows users, but are easily adapted to OSX or Linux users.

  1. Create a directory in which you’ll create your certificates.
  2. Customize the OpenSSL configuration file.

    1. Copy the default OpenSSL configuration file to your working directory.
      • On Windows, the default location is c:\OpenSSL-Win32\bin\openssl.cfg
      • On Linux, it’s often at /etc/ssl/openssl.cnf
    2. Rename the file to include the IP address of the controller, such as openssl.10.20.30.40.cfg.
    3. Open your copy of the configuration file in WordPad or any text editor other than Notepad. Even on Windows, the line endings in the configuration file are Unix-style and not usable in Notepad.
    4. Search for [ v3_ca ], which is the section that needs an extra setting.
    5. Just below the [ v3_ca ] section, add the following line, except use the controller’s IP address instead of 10.20.30.40:
      subjectAltName=IP:10.20.30.40
      
    6. Save the file
  3. Generate a self-signed certificate.

    From a command line, enter the following command, being careful to replace all the IP addresses with the specific one for your PAC controller.

    "c:\OpenSSL-Win32\bin\openssl.exe" req -nodes -newkey rsa:2048 -keyout privkey.10.20.30.40.key -out cert.10.20.30.40.crt -x509 -days 3650 -config openssl.10.20.30.40.cfg
    

    This command will ask you several questions, as shown below. Most fields can be left blank, but you must correctly enter the PAC’s IP address for Common Name (e.g. server FQDN or YOUR name), as shown in green below.

    Generating a 2048 bit RSA private key
    ...............+++
    ............+++
    writing new private key to 'privkey.192.168.1.121.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:CA
    Locality Name (eg, city) []:Temecula
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:ACME Corp
    Organizational Unit Name (eg, section) []:Engineering
    Common Name (e.g. server FQDN or YOUR name) []:10.20.30.40
    Email Address []:youremail@whatever.com
    
  4. Convert the private key to the proper format.

    PAC controllers require the private key in a different format than the default format. It is easily converted with the following instruction:

    "c:\OpenSSL-Win32\bin\openssl.exe" rsa -in privkey.10.20.30.40.key -out privkey.10.20.30.40.key
    

Next Step

Continue to installing the certificates.