NTI VEEMUX Series Installation And Operation Manual page 54

NTI VEEMUX HDMI 4K VIDEO MATRIX SWITCH
b. Create the web server certificate signing request using the same fully qualified DNS name (or IP address) you used for
the private key. It is vitally important that you set the Common Name value to the fully qualified DNS name of your web
server because that's the value that a browser client will verify when it receives the web server's certificate.
# openssl req -sha512 -new -key ./server/keys/your_device_fqdn_or_ipaddress.key -
out ./server/requests/your_device_fqdn_or_ipaddress.csr
You are about to be asked to enter information that will be incorporated into your
certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name [US]:US
State or Province Name [OH]:OH
Locality Name []:Aurora
Organization Name [NTI]:NTI
Organizational Unit Name []:
Common Name [NTI CA]:192.168.3.144
Email Address [sales@ntigo.com]:your_name@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
. []:
. []:
c. Create a file defining the Subject Alternative Name. This extension file extensions.ext can be made with any text
editor, and should be added to the /usr/local/ssl/ntiCA directory. This needs to be defined to know for what domains or IP
addresses the certificate will be valid. Add the following lines to the extensions.ext file:
basicConstraints=CA:FALSE
subjectAltName=IP:<ip_address>
Replace "<ip_address>" with the IP address you plan to use to access the device. Other options are available for
specifying this. Below is an example using a DNS:
subjectAltName = DNS:server.example.com
d. Sign the web server certificate with the CA key:
# openssl x509 -req –in server/requests/your_device_fqdn_or_ipaddress.csr -CA
CA/ntiCA.crt -CAkey CA/ntiCA.key –CAcreateserial -out your_device_fqdn_or_ipaddress.pem -
days 1024 -extfile extensions.ext
Signature ok
subject=C = US, ST = OH, L = Aurora, O = NTI, CN = 192.168.3.144, emailAddress =
sales@ntigo.com
Getting CA Private Key
To verify the web server certificate contents, use the following command:
# openssl x509 -in your_device_fqdn_or_ipaddress.pem -text
Key values to look for are:
Subject CN=192.168.3.144
Issuer CN=NTI CA
3. Uploading a Self-Signed Certificate Authority to a VEEMUX Device
You should import the "ntiCA.crt" file located in the /usr/local/ssl/ntiCA/CA directory that is generated using this procedure into
the VEEMUX. To import this file into the VEEMUX, you must log into its web interface.
On the VEEMUX Web Interface menu Under "Administration" select "Network". In X509 certificates, select "Choose File",
select the CA certificate file ntiCA.crt, and click "Upload CA certificate".
(indicated by the characters "[ ]")
50