General Information

This guide will show you how to generate a self-signed certificate with openssl and how to correctly enable HTTPS with your beroNet Gateway.
In this example I will use a UNIX system, but you can use any supported system.

→ All files will be named accordingly for a better overview, you can name them what you want.

If you already have a self-signed certificate, feel free to skip to 2.).

Prerequisites

• access to a shell or command line

• at least openssl version 1.0.2x

• access to the beroNet Gateways webGUI

1.) Create Your Self-Signed Certificate

1.1 Create your Own Certification Authority to Sign Certificates

You will create your own CA to sign the certificate requests later.

1.1.1 Generate Private Key For Your CA (root.key)

First you will need to generate the private key for your CA (Certification Authority or Zertifizierungsstelle). You will sign the certificates with this key later.

You will also create a passphrase that you will need to sign the created certificate request (step 1.2) later.

1.1.2 Generate the CA Certificate (root.crt)

Then you create the root certificate with the root.key.
Enter the basic information required to generate the CA certificate.

1.2 Create Your Domain Certificate Request (beronet.key, beronet.req)

Now you should generate a certificate request, that will be signed with the created root certificate and key afterwards. Here you should change the values highlighted in red and green.
You will need to give the SAN (subject Alternative Name) in order to trust a local IP-Adress. This should contain the static IP-Adress of your beroNet Gateway.

• openssl req -new -nodes -newkey rsa:1024 \
  -keyout beronet.key -out beronet.req \
  -batch -subj "/C=DE/ST=Berlin/L=Berlin/O=beroNet CA/OU=beroNet/CN=172.20.30.121" \
  -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=IP:172.20.30.121"))

1.3 Sign the Certificate With the CA (beronet.crt)

openssl x509 -req -in beronet.req -CA root.crt -CAkey root.key -CAcreateserial -out beronet.crt -days 365 -sha256 -extfile <(printf "subjectAltName=IP:172.20.30.121")

• This certificate will be valid for one year. If you want to increase the time, change the value for the parameter -days.

You will now have the following files:

• root.crt and root.key (Your CA root certificate and the private key to sign certificate requests)

• beronet.req (the certificate sign request file that is signed in 1.4)

• beronet.crt and beronet.key (Your self signed certificate and the key)

2.) Use the Certificate With Your beroNet Gateway

2.1 Create .pem File (beronet.pem)

To upload the self-signed certificate to the beroNet Gateway, you will have to build a .pem file that contains all necessary files.
The file needs to contain these files in the following order:

• the self-signed certificates key (beronet.key)

• the self-signed certificate (beronet.crt)

• the root certificate (root.crt)
  
  

To create the following file beronet.pem you can concatenate the files into the .pem file like this:

2.2 Upload the Certificate

• Visit Preferences → Network Settings → HTTPS Settings

• Upload your certificate (beronet.pem)

• Click Save and Activate → Restart your Gateway

Open

2.3 Trust Your Self-Signed Certificate

Now you have your self-signed certificate uploaded and the webGUI can be accessed via HTTPS.

Add the created CA to the trusted CAs of the browser and operating system!

To dismiss the warning of the browser, you have to add an exception or rather add the CA certificate (root.crt) to your trusted CAs.
This is different for every operation system and browser and is therefore not covered here.