Generating an appliance certificate

Each appliance should have a valid X.509 version 3 identity certificate in PEM format with an unencrypted key. This certificate can be generated using a variety of tools. Below is a simple procedure using OpenSSL to generate a private key and CA that can be used for your appliance.

This section assumes that you are familiar with OpenSSL and have a working OpenSSL installation.

The following OpenSSL statement creates a 2048-bit RSA private key with a password of 1234:

openssl genrsa -passout pass:1234 -des3 -out CA_key_password.pem 2048

You must supply a password, as OpenSSL does not allow the creation of a private key without one. You can then strip the password from the key as follows:

openssl rsa -in CA_key_password.pem -passin pass:1234 -out CA_key.pem

This also renames the private key file from CA_key_password.pem to CA_key.pem. Finally, use the following statement to create the CA:

openssl req -x509 -days 11000 -new -sha1 -key CA_key.pem - out CA_cert.pem

Note that this command prompts you to input information about different parameters, such as country, state, locality, or your organization’s name.

Once you have created the private key (CA_key.pem) and public certificate (CA_cert.pem), import the certificate to all relevant browsers, and upload the certificate to each appliance using the Certificates tab.