14: Security in Detail
PremierWave XC User Guide 96
the exception of the root CA. This way, trust is transferred along the chain, from the root CA
through any number of intermediate authorities, ultimately to the agent that needs to prove its
authenticity.
Obtaining Certificates
Signed certificates are typically obtained from well-known CAs, such as VeriSign. This is done by
submitting a certificate request for a CA, typically for a fee. The CA will sign the certificate
request, producing a certificate/key combo: the certificate contains the identity of the owner and
the public key, and the private key is available separately for use by the owner.
As an alternative to acquiring a signed certificate from a CA, you can act as your own CA and
create self-signed certificates. This is often done for testing scenarios, and sometimes for closed
environments where the expense of a CA-signed root certificate is not necessary.
Self-Signed Certificates
A few utilities exist to generate self-signed certificates or sign certificate requests. The
PremierWave XC also has the ability to generate its own self-signed certificate/key combo. You
can use XML to export the certificate in PEM format, but you cannot export the key. Hence the
internal certificate generator can only be used for certificates to identify that particular
PremierWave XC.
Certificate Formats
Certificates and private keys can be stored in several file formats. Best known are PKCS12, DER
and PEM. Certificate and key can be in the same file or in separate files. Additionally, the key can
be either be encrypted with a password or left in the clear. However, the PremierWave XC
currently only accepts separate PEM files, with the key unencrypted.
Several utilities exist to convert between the formats.
OpenSSL
OpenSSL is a widely used open source set of SSL related command line utilities. It can act as
server or client. It can also generate or sign certificate requests, and can convert from and to
several different of formats.
OpenSSL is available in binary form for Linux and Windows.
To generate a self-signed RSA certificate/key combo:
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mp_key.pem
-out mp_cert.pem
See www.openssl.org or www.madboa.com/geek/openssl for more information.
Note: Signing other certificate requests is also possible with OpenSSL but the details of
this process are outside the scope of this document.