Page 1
Introduction Installing OpenSSL on Windows Installing the Scripts Generating SSH Keys and SSL Certificates for ROS and ROX Using Scripts to Create SSL Certificates Using Windows AN22 Using the Scripts to Create SSH Keys for ROS Adding a Root CA Certificate to the List of Trusted Root Application Note PEM Formatted Certificates...
RUGGEDCOM Application Note Table of Contents Table of Contents Chapter 1 Introduction ......................Chapter 2 Installing OpenSSL on Windows ................. Chapter 3 Installing the Scripts .................... Chapter 4 Using Scripts to Create SSL Certificates ............4.1 Scenario 1: The Machine Hosting the Scripts Becomes the Root CA ..........7 4.2 Scenario 2: The CA Resides Elsewhere ..................
Page 4
RUGGEDCOM Table of Contents Application Note...
RUGGEDCOM Chapter 1 Application Note Introduction Introduction ROS (beginning with ROS v3.12.1 and onwards) and ROX can accept SSL certificates and SSH keys created externally. This document, along with some useful scripts developed by Siemens, is intended to help users working with Microsoft Windows®...
RUGGEDCOM Chapter 2 Application Note Installing OpenSSL on Windows Installing OpenSSL on Windows To install OpenSSL on Windows, do the following: Download the OpenSSL Setup program (without sources) for Windows from http://gnuwin32.sourceforge.net/ packages/openssl.htm. Double-click the downloaded file and install OpenSSL. During the installation process, change the installation directory to C:\OpenSSL\.
RUGGEDCOM Chapter 3 Application Note Installing the Scripts Installing the Scripts To install the scripts, extract the contents of the Zip file (AN22.zip) obtained from Siemens into an appropriate location on the script machine (the computer/server that hosts the scripts). A folder titled RCKeyGen will be placed in the chosen location.
Page 10
RUGGEDCOM Chapter 3 Application Note Installing the Scripts...
RUGGEDCOM Chapter 4 Application Note Using Scripts to Create SSL Certificates Using Scripts to Create SSL Certificates The scripts provided by Ruggedcom can be used in three different infrastructure scenarios. • Section 4.1, “Scenario 1: The Machine Hosting the Scripts Becomes the Root CA” •...
Page 12
Chapter 4 RUGGEDCOM Using Scripts to Create SSL Certificates Application Note Figure 1: Scenario 1 1. Root Certificate Authority (CA) 2. Certificate 3. ROS/ROX Devices Navigate to the RCKeyGen folder on the script machine and open the file config.txt in a text editor. NOTE Do not use the default parameters provided in the config.txt file.
RUGGEDCOM Chapter 4 Application Note Using Scripts to Create SSL Certificates Double-click the script 1_ssl_root_CA_certgen.vbs to generate the root certificate. Double-click the script 02_ssl_device_certgen.vbs to generate a certificate for each device listed in device_data.txt and have them signed by the Root CA. When the script asks if the certificates need to be self-signed, click No.
Page 14
Chapter 4 RUGGEDCOM Using Scripts to Create SSL Certificates Application Note Figure 2: Scenario 2 1. Root Certificate Authority (CA) 2. Certificate Authorities (CAs) 3. Certificate 4. Certificate Request 5. Script Machine 6. ROS/ ROX Compatible Certificate 7. ROS/ROX Devices Navigate to the RCKeyGen folder on the script machine and open the file config.txt in a text editor.
RUGGEDCOM Chapter 4 Application Note Using Scripts to Create SSL Certificates Update the other parameters with relevant values. Save and close the file. Open the file device_data.txt in a text editor and replace the current content with a list of addresses (one per line) for devices for which certificates are to be generated.
Page 16
Chapter 4 RUGGEDCOM Using Scripts to Create SSL Certificates Application Note Figure 3: Scenario 3 1. Script Machine 2. Certificate 3. ROS/ROX Devices Navigate to the RCKeyGen folder on the script machine and open the file device_data.txt in a text editor.
Page 17
RUGGEDCOM Chapter 4 Application Note Using Scripts to Create SSL Certificates Double-click the script 03_ssl_formatting.vbs to convert the certificates into PEM format and clean up any files that were created by the scripts. The finished certificates are available in the SSL_certs folder and named according to their associated device, as defined in device_data.txt.
Page 18
RUGGEDCOM Chapter 4 Application Note Using Scripts to Create SSL Certificates Scenario 3: Self-Signed Device Certificates...
RUGGEDCOM Chapter 5 Application Note Using the Scripts to Create SSH Keys for ROS Using the Scripts to Create SSH Keys for ROS The generation of SSH keys is a single step process. NOTE For information on how to regenerate SSH keys for ROX, refer to the ROX User Guide for the device. Navigate to the RCKeyGen folder on the script machine and open the file device_data.txt in a text editor.
Page 20
RUGGEDCOM Chapter 5 Application Note Using the Scripts to Create SSH Keys for ROS...
RUGGEDCOM Chapter 6 Application Note Adding a Root CA Certificate to the List of Trusted Root Adding a Root CA Certificate to the List of Trusted Root CAs In order for a certificate to be trusted, and often for a secure connection to be established, the certificate must have been issued by a CA that is included in the trusted store of the device that is connecting.
Page 22
Chapter 6 RUGGEDCOM Adding a Root CA Certificate to the List of Trusted Root Application Note Figure 5: Certificate Import Wizard Dialog Box Follow the on-screen instructions to locate the root certificate file and make sure it is placed in the Trusted Root Certification Authorities store.
RUGGEDCOM Chapter 7 Application Note PEM Formatted Certificates and Keys PEM Formatted Certificates and Keys The following is an example of a PEM formatted SSH key: -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQC3xOHodmmPghN1uWuFs9WdURkT9Ngjh7ded8BRa1PP3xUFzYSp UIq5QB2zU0UsHE0fGRWqYr8GA4r59KIDhhV5J2D/dIL9qCGklWNPBamZCVu+4N5M 5L//Ga8N5lv3AbGSfEsiiyA38uNNR5B6QzpXuTbEBUq84hlD4wDiL78eKwIDAQAB AoGBAI2CXHuHg23wuk9zAusoOhw0MN1/M1jYz0k9aajIvvdZT3Tyd29yCADy8GwA eUmoWXLS/C4CcBqPa9til8ei3rDn/w8dveVHsi9FXjtVSYqN+ilKw+moMAjZy4kN /kpdpHMohwv/909VWR1AZbr+YTxaG/++tKl5bqXnZl4wHF8xAkEA5vwut8USRg2/ TndOt1e8ILEQNHvHQdQr2et/xNH4ZEo7mqot6skkCD1xmxA6XG64hR3BfxFSZcew Wr4SOFGCtQJBAMurr5FYPJRFGzPM3HwcpAaaMIUtPwNyTtTjywlYcUI7iZVVfbdx 4B7qOadPybTg7wqUrGVkPSzzQelz9YCSSV8CQFqpIsEYhbqfTLZEl83YjsuaE801 xBivaWLIT0b2TvM2O7zSDOG5fv4I990v+mgrQRtmeXshVmEChtKnBcm7HH0CQE6B 2WUfLArDMJ8hAoRczeU1nipXrIh5kWWCgQsTKmUrafdEQvdpT8ja5GpX2Rp98eaU NHfI0cP36JpCdome2eUCQDZN9OrTgPfeDIXzyOiUUwFlzS1idkUGL9nH86iuPnd7 WVF3rV9Dse30sVEk63Yky8uKUy7yPUNWldG4U5vRKmY=...
RUGGEDCOM Chapter 8 Application Note Generating a Certificate from a Certificate Request in Windows 2008 CA Generating a Certificate from a Certificate Request in Windows 2008 CA If there is an existing windows certificate server in the organization, perform the following procedure to generate the certificate in a windows 2008 server: Copy and paste the CSR file generated in the script machine to any folder in your CA.
Page 26
Chapter 8 RUGGEDCOM Generating a Certificate from a Certificate Request in Application Note Windows 2008 CA Figure 7: Open Request File Dialog Box Select the CSR file and click Open. Navigate to the Pending Requests folder. If the certificate request is uploaded properly, the request will appear in this folder.
Page 27
RUGGEDCOM Chapter 8 Application Note Generating a Certificate from a Certificate Request in Windows 2008 CA Figure 9: Issuing the Certificate Navigate to the Issued Certificates folder. Figure 10: Issued Certificates Folder Double-click on the certificate. The Certificate dialog box appears.
Page 28
Chapter 8 RUGGEDCOM Generating a Certificate from a Certificate Request in Application Note Windows 2008 CA Figure 11: Certificate Dialog Box Click the Details tab. This displays the distinguished name parameters for the certificate. 10. Verify the distinguished name parameters are correct and then click Copy to File. The Certificate Export Wizard dialog box appears.
Page 29
RUGGEDCOM Chapter 8 Application Note Generating a Certificate from a Certificate Request in Windows 2008 CA Figure 13: Export File Format Screen 12. Copy the certificate to the SSL_certs folder. 13. Make sure a matching *.key file is present in the SSL_certs folder. 14.
Page 30
RUGGEDCOM Chapter 8 Application Note Generating a Certificate from a Certificate Request in Windows 2008 CA...
RUGGEDCOM Chapter 9 Application Note Frequently Asked Questions (FAQs) Frequently Asked Questions (FAQs) What should I do if my root CA’s certificate has expired or I have a new root CA in my organization? If the existing root CA’s certificate has expired or if you want to sign all of your existing device certificates using a new root CA, then all the device certificates has to be replaced with a new certificate signed by the new root CA.