Certificates provided by the customer (CA with certificates)

At this point certificates are generated by means of Open SSL and can be used for the Secure ADS connection.

These instructions do not represent comprehensive advice on the creation and handling of certificates. In particular the validity periods must be observed, which necessitates organizational measures in order to ensure replacement before the expiry of the validities (in this case: 3600 days for CA and 360 days for the respective certificates).

In this example a Certificate Authority (CA) is generated that signs a certificate for both sides (called IPC and CX here) of the communication.

The meaning of the call parameters can be viewed in detail via "openssl help".

OpenSSL is installed and is available from the command line.

1. Generate a key for the Certificate Authority that will be trusted later.

openssl genrsa -out rootCA.key 2048

2. Generate the certificate with a validity period of 3600 days. Owner information is added via the parameter "-subj".


openssl req -x509 -new -nodes -key rootCA.key -sha256 -subj "/C=DE/ST=NRW/L=Verl/O=Bk/OU=TCPM/CN=RootCA" -days 3600 -out rootCA.pem

3. Generate a key for the IPC


openssl genrsa -out ipc.key 2048

4. Generate a Certificate Signing Request (CSR) for this key:
Please note: The address specified as CN (IP address in this case) must be used as the name when establishing the connection. Alternatively, the route must be parameterized with IgnoreCN.
openssl req -out ipc.csr -key ipc.key -subj "/C=DE/ST=NRW/L=Verl/O=Bk/OU=TCPM/CN=192.168.2.1" –new

5. Sign the CSR of the IPC with the CA with a validity of 360 days


openssl x509 -req -in ipc.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out ipc.crt -days 360 -sha256

The route can now be set up on the IPC using these files: rootCA.pem, ipc.key and ipc.pem

6. Generate a key for the CX


openssl genrsa -out cx.key 2048

7. Generate a Certificate Signing Request (CSR) for this key:
Please note: The address specified as CN (IP address in this case) must be used as the name when establishing the connection. Alternatively, the route must be parameterized with IgnoreCN.
openssl req -out cx.csr -key cx.key -subj "/C=DE/ST=NRW/L=Verl/O=Bk/OU=TCPM/CN=192.168.2.2" –new

8. Sign the CSR of the IPC with the CA with a validity of 360 days


openssl x509 -req -in cx.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out cx.crt -days 360 -sha256

The route can now be set up on the CX using these files: rootCA.pem, cx.key and cx.pem

The route can be used.