This guide will show you how to generate a self-signed certificate with openssl and how to correctly enable HTTPS with your beroNet Gateway.
In this example I will use a UNIX system, but you can use any supported system.
→ All files will be named accordingly for a better overview, you can name them what you want.
If you already have a self-signed certificate, feel free to skip to 2.).
access to a shell or command line
at least openssl version 1.0.2x
access to the beroNet Gateways webGUI
You will create your own CA to sign the certificate requests later.
All certificates that you create, should be signed with the root certificate (step 1.1.2) and the root private key (step 1.1.1). |
First you will need to generate the private key for your CA (Certification Authority or Zertifizierungsstelle). You will sign the certificates with this key later.
You will also create a passphrase that you will need to sign the created certificate request (step 1.2) later.
openssl genrsa -aes256 -out root.key 1024 |
Then you create the root certificate with the root.key.
Enter the basic information required to generate the CA certificate.
openssl req -new -key root.key -x509 -out root.crt -days 3650 |
Now you should generate a certificate request, that will be signed with the created root certificate and key afterwards. Here you should change the values highlighted in red and green.
You will need to give the SAN (subject Alternative Name) in order to trust a local IP-Adress. This should contain the static IP-Adress of your beroNet Gateway.
Recommended: Copy the commands and change the values accordingly in a text editor or in the command line. |
openssl req -new -nodes -newkey rsa:1024 -keyout beronet.key -out beronet.req -batch -subj "/C=DE/ST=Berlin/L=Berlin/O=beroNet CA/OU=beroNet/CN=172.20.30.121" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=IP:172.20.30.121")) |
openssl req -new -nodes -newkey rsa:1024 \
-keyout beronet.key -out beronet.req \
-batch -subj "/C=DE/ST=Berlin/L=Berlin/O=beroNet CA/OU=beroNet/CN=172.20.30.121" \
-reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=IP:172.20.30.121"))
openssl x509 -req -in beronet.req -CA root.crt -CAkey root.key -CAcreateserial -out beronet.crt -days 365 -sha256 -extfile <(printf "subjectAltName=IP:172.20.30.121") |
openssl x509 -req -in beronet.req -CA root.crt -CAkey root.key -CAcreateserial -out beronet.crt -days 365 -sha256 -extfile <(printf "subjectAltName=IP:172.20.30.121")
This certificate will be valid for one year. If you want to increase the time, change the value for the parameter -days.
You will now have the following files:
root.crt and root.key (Your CA root certificate and the private key to sign certificate requests)
beronet.req (the certificate sign request file that is signed in 1.4)
beronet.crt and beronet.key (Your self signed certificate and the key)
To upload the self-signed certificate to the beroNet Gateway, you will have to build a .pem file that contains all necessary files.
The file needs to contain these files in the following order:
the self-signed certificates key (beronet.key)
the self-signed certificate (beronet.crt)
the root certificate (root.crt)
To create the following file beronet.pem you can concatenate the files into the .pem file like this:
cat beronet.key > beronet.pem cat beronet.crt >> beronet.pem cat root.crt >> beronet.pem |
Visit Preferences → Network Settings → HTTPS Settings
Upload your certificate (beronet.pem)
Click Save and Activate → Restart your Gateway
Now you have your self-signed certificate uploaded and the webGUI can be accessed via HTTPS.
To dismiss the warning of the browser, you have to add an exception or rather add the CA certificate (root.crt) to your trusted CAs.
This is different for every operation system and browser and is therefore not covered here.