Generating a Self-Signed SSL Certificate

These instructions are geared towards Windows users, but are easily adaptable for OSX or Linux users.

1. Create a directory in which you’ll generate your certificates.
2. Customize the OpenSSL configuration file.
   1. Copy the default OpenSSL configuration file to your working directory.
      • On Windows, the default location is c:\OpenSSL-Win32\bin\openssl.cfg
      • On Linux, it’s often at /etc/ssl/openssl.cnf
   2. Rename the file to include the IP address of the controller, such as openssl.10.20.30.40.cfg.
   3. Open your copy of the configuration file in WordPad or any text editor other than Notepad. Even on Windows, the line endings in the configuration file are Unix-style and not usable in Notepad.
   4. Search for [ v3_ca ], which is the section that needs an extra setting.
   5. Just below the [ v3_ca ] section, add the following line, except use the controller’s IP address instead of 10.20.30.40:

      subjectAltName=IP:10.20.30.40
      

   6. Save the file

3. Generate a self-signed certificate.

   Open a command prompt in the directory you created in step 1, and then enter the following command, being careful to replace the dummy IP addresses with the IP address of your controller.

   "c:\OpenSSL-Win32\bin\openssl.exe" req -nodes -newkey rsa:2048 -keyout privkey.10.20.30.40.key -out cert.10.20.30.40.crt -x509 -days 3650 -config openssl.10.20.30.40.cfg
   

   Note: The response will ask several questions. Most fields can be left blank, but for Common Name (for example, server FQDN or YOUR name), you must enter the PAC’s IP address.

   Generating a 2048 bit RSA private key
   ...............+++
   ............+++
   writing new private key to 'privkey.192.168.1.121.key'
   -----
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [AU]:US
   State or Province Name (full name) [Some-State]:CA
   Locality Name (eg, city) []:Temecula
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:ACME Corp
   Organizational Unit Name (eg, section) []:Engineering
   Common Name (e.g. server FQDN or YOUR name) []:</b></span>10.20.30.40
   Email Address []:youremail@whatever.com
   

4. Convert the private key to the proper format.

   PAC controllers require the private key in a different format than the default format. It is easily converted with the following instruction:

   "c:\OpenSSL-Win32\bin\openssl.exe" rsa -in privkey.10.20.30.40.key -out privkey.10.20.30.40.key
   

Next Step

Continue to Installing the Certificate.