Requesting or creating an HTTPS certificate

A certificate authority (CA) typically provides installation instructions on how to install a certificate it has issued. The certificate authority even provides instructions on how to apply for the certificate. Please primarily follow the instructions of the certificate authority.

First, you must create a certificate signing request (CSR) and submit the certificate request to the certificate authority in accordance with its instructions. The certificate authority will then provide you with the server certificate and the intermediate certificates to create a certificate signing request

If you do not have a certificate from an official certificate authority (CA), you can create a self-signed certificate for test purposes.

Proceed as follows:

1. Generate a self-signed certificate for test purposes with the following command:

doas openssl req -x509 -newkey rsa:4096 -nodes -sha256 -days 3650 \
                -keyout IPCDiagnostics.key \
                -out IPCDiagnostics.crt \
                -subj '/CN=<hostname>' \
                -addext 'subjectAltName=DNS:<hostname>,IP:<ipaddress>'

2. The command creates a private key IPCDiagnostics.key and a self-signed certificate IPCDiagnostics.crt.

openssl req: The command part req creates and processes certificate signing requests (CSR). With -x509, a self-signed certificate is created directly instead.

-newkey rsa:4096: Creates a new key pair with the RSA algorithm and a key length of 4096 bits.

-nodes: Means "no DES". The private key is not stored in encrypted form, i.e. no password is required to use the key.

-sha256: Uses the secure hash algorithm SHA-256 to create the certificate signature.

-keyout IPCDiagnostics.key: Stores the private key in the file IPCDiagnostics.key.

-out IPCDiagnostics.crt: Stores the created certificate in the file IPCDiagnostics.crt.

-subj '/CN=<hostname>': Specifies the data for the certificate without an interactive request. /CN=<hostname> specifies the common name (CN), which is usually the host name or domain that is protected by the certificate.

-addext 'subjectAltName=DNS:<hostname>,IP:<ipaddress>': Adds an extension to the certificate. subjectAltName (SAN) allows additional names and IP addresses to be covered by the certificate.

3. Replace <hostname> with the host name and <ipaddress> with the IP address of your TwinCAT/BSD device.

In the next step, the certificate can be imported (see: Importing the certificate).