Scenario 3: Self-Signed Device Certificates; Chapter 8 - Siemens SR640XA User Manual

RUGGEDCOM
Application Note
3. Update the other parameters with relevant values.
4. Save and close the file.
5. Open the file device_data.txt in a text editor and replace the current content with a list of addresses
(one per line) for devices for which certificates are to be generated. The script will take the list of addresses
and use them as the Common Name parameter in the Distinguished name field (i.e. the Subject Identifier in
an X.509 certificate). The script can take both IP addresses and DNS names for the switches. The list must
have some addresses for the script to generate certificates.
NOTE
Setting the Common Name (IP address/DNS address) correctly will make sure browsers do
not complain about the certificate Common Name not matching the URL. The switch or router
will also have to be accessed using the DNS name or the IP address that was provided in
device_data.txt. Configuring an IP address for the Common Name and then accessing the
unit with a DNS name (or vice versa) will cause the browser to complain.
6. Save and close the file.
NOTE
For Windows XP, scripts should be launched through the command prompt in the same order as
described in this procedure.
7. Double-click the script 02_ssl_device_certgen.vbs to generate a certificate signing request for each
device listed in device_data.txt. When the script asks if the certificates need to be self-signed, click No.
The SSL_certs folder now has both keys and Certificate Signing Requests for the ROS/ROX devices. The
CSRs need to be exported to and signed by the organizational CA.
8. Generate certificates from the Certificate Signing Requests. For more information, refer to
Generating a Certificate from a Certificate Request in Windows 2008
9. Copy the certificates issued by the CA to the SSL_certs folder.
10. Double-click the script 03_ssl_formatting.vbs to convert the certificates into PEM format and clean up
any files that were created by the scripts. The finished certificates are available in the SSL_certs folder and
named according to their associated device, as defined in device_data.txt.
11. Upload the certificates to their respective devices. For more information about uploading the certificates,
refer to the User Guide for the device.
Section 4.3

Scenario 3: Self-Signed Device Certificates

In this scenario, each device certificate is signed by itself. If a CA has not been established in the organization
or a Root CA in the host computer is not desirable, perform the following steps to generate self-signed device
certificates that are signed by themselves.
NOTE
It is recommended to get the certificates for each device signed by a trusted Certificate Authority.
Scenario 3: Self-Signed Device Certificates
Using Scripts to Create SSL Certificates

Chapter 8,

CA.
Chapter 4
11