19: Security in Detail
xSenso User Guide
110
through any number of intermediate authorities, ultimately to the agent that needs to prove its
authenticity.
Obtaining Certificates
Signed certificates are typically obtained from well-known CAs, such as VeriSign. This is done by
submitting a certificate request for a CA, typically for a fee. The CA will sign the certificate request,
producing a certificate/key combo: the certificate contains the identity of the owner and the public
key, and the private key is available separately for use by the owner.
As an alternative to acquiring a signed certificate from a CA, you can act as your own CA and
create self-signed certificates. This is often done for testing scenarios, and sometimes for closed
environments where the expense of a CA-signed root certificate is not necessary.
Self-Signed Certificates
A few utilities exist to generate self-signed certificates or sign certificate requests. The xSenso
also has the ability to generate its own self-signed certificate/key combo. You can use XML to
export the certificate in PEM format, but you cannot export the key. Hence the internal certificate
generator can only be used for certificates that are to identify that particular xSenso.
Certificate Formats
Certificates and private keys can be stored in several file formats. Best known are PKCS12, DER
and PEM. Certificate and key can be in the same file or in separate files. Additionally, the key can
be either be encrypted with a password or left in the clear. However, the xSenso currently only
accepts separate PEM files, with the key unencrypted.
Several utilities exist to convert between the formats.
OpenSSL
OpenSSL is a widely used open source set of SSL related command line utilities. It can act as
server or client. It can also generate or sign certificate requests, and can convert from and to
several different of formats.
OpenSSL is available in binary form for Linux and Windows.
To generate a self-signed RSA certificate/key combo:
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mp_key.pem -
out mp_cert.pem
See
www.openssl.org or www.madboa.com/geek/openssl
for more information.
Note:
Signing other certificate requests is also possible with OpenSSL but the details of
this process are outside the scope of this document.