Raritan Dominion KX III User Manual page 220

Appendix E: Certificate Requirements
210
In FIPS mode, the check may also work with IP addresses and a
•
hostname SAN in the certificate
Notes about self-signed certificates from KX:
Before KX 3.5, self signed certificates had the CA flag set. In KX 3.5 or
newer, the CA flag is not set. Self signed certificates created with KX 3.5
will pass certificate check even if it is already expired. In general, the use
of self signed certificates is discouraged.
Examples
OpenSSL's command line tool openssl can be used to create according
certificates.
Sign a KX3-CSR (Certificate Signing Request) by a CA (Certfication
Authority):
openssl x509 -req -days 365 -in kx3.csr -CA ca/root-ca.crt
\
-CAkey ca/root-ca.key -set_serial 01 \
-extfile v3.ext -out kx3-by-root-ca.crt
with the following meanings:
• kx3.csr: the KX3-CSR file
ca/root-ca.crt: the CA's certificate file
•
ca/root-ca.key: the CA's private key file
•
v3.ext: the extensions definition file with the following content:
•
authorityKeyIdentifier=keyid,issuer
subjectKeyIdentifier=hash
basicConstraints=CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment,
keyAgreement
extendedKeyUsage = serverAuth, clientAuth
A certificate created in this way will contain an extension section looking
like the following:
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:F3:E0:95:4D:E6:3F:7E:2D:F9:F1:5F:3D:4B:AC:13:D1
:B9:ED:6C:1A
X509v3 Subject Key Identifier:
30:99:CB:3A:DA:38:B4:94:09:ED:EF:AE:53:AC:C5:21:1B:73
:91:B9
X509v3 Basic Constraints: