How to Use HTTPS With Self-Signed Certificate (openssl)

General Information

This guide will show you how to generate a self-signed certificate with openssl and how to correctly enable HTTPS with your beroNet Gateway.
In this example I will use a UNIX system, but you can use any supported system.

→ All files will be named accordingly for a better overview, you can name them what you want.

If you already have a self-signed certificate, feel free to skip to 2.).

Prerequisites

  • access to a shell or command line

  • at least openssl version 1.0.2x

  • access to the beroNet Gateways webGUI

1.) Create Your Self-Signed Certificate

1.1 Create your Own Certification Authority to Sign Certificates

You will create your own CA to sign the certificate requests later.

All certificates that you create, should be signed with the root certificate (step 1.1.2) and the root private key (step 1.1.1).
If you have multiple devices with different certificates, you can sign them with this CA and only add the root certificate to your trusted CAs in your browser or operating system.

1.1.1 Generate Private Key For Your CA (root.key)

First you will need to generate the private key for your CA (Certification Authority or Zertifizierungsstelle). You will sign the certificates with this key later.

You will also create a passphrase that you will need to sign the created certificate request (step 1.2) later.

openssl genrsa -aes256 -out root.key 1024

1.1.2 Generate the CA Certificate (root.crt)

Then you create the root certificate with the root.key.
Enter the basic information required to generate the CA certificate.

openssl req -new -key root.key -x509 -out root.crt -days 3650

1.2 Create Your Domain Certificate Request (beronet.key, beronet.req)

Now you should generate a certificate request, that will be signed with the created root certificate and key afterwards. Here you should change the values highlighted in red and green.
You will need to give the SAN (subject Alternative Name) in order to trust a local IP-Adress. This should contain the static IP-Adress of your beroNet Gateway.

Recommended: Copy the commands and change the values accordingly in a text editor or in the command line.
Enter your information for your certificate (your choice)
Enter the IP- Adress of the Gateway (172.20.30.121 is an example)
Enter the Key Length, 1024 is recommended. (Anything over 2048 will render the GUI very slow!)

openssl req -new -nodes -newkey rsa:1024 -keyout beronet.key -out beronet.req -batch -subj "/C=DE/ST=Berlin/L=Berlin/O=beroNet CA/OU=beroNet/CN=172.20.30.121" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=IP:172.20.30.121"))
  • openssl req -new -nodes -newkey rsa:1024 \
    -keyout beronet.key -out beronet.req \
    -batch -subj "/C=DE/ST=Berlin/L=Berlin/O=beroNet CA/OU=beroNet/CN=172.20.30.121" \
    -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=IP:172.20.30.121"))

1.3 Sign the Certificate With the CA (beronet.crt)

openssl x509 -req -in beronet.req -CA root.crt -CAkey root.key -CAcreateserial -out beronet.crt -days 365 -sha256 -extfile <(printf "subjectAltName=IP:172.20.30.121")

  • This certificate will be valid for one year. If you want to increase the time, change the value for the parameter -days.

You will now have the following files:

  • root.crt and root.key (Your CA root certificate and the private key to sign certificate requests)

  • beronet.req (the certificate sign request file that is signed in 1.4)

  • beronet.crt and beronet.key (Your self signed certificate and the key)

2.) Use the Certificate With Your beroNet Gateway

2.1 Create .pem File (beronet.pem)

To upload the self-signed certificate to the beroNet Gateway, you will have to build a .pem file that contains all necessary files.
The file needs to contain these files in the following order:

  • the self-signed certificates key (beronet.key)

  • the self-signed certificate (beronet.crt)

  • the root certificate (root.crt)

To create the following file beronet.pem you can concatenate the files into the .pem file like this:

2.2 Upload the Certificate

  • Visit Preferences → Network Settings → HTTPS Settings

  • Upload your certificate (beronet.pem)

  • Click Save and Activate → Restart your Gateway

Network-Settings - HTTPS Settings

2.3 Trust Your Self-Signed Certificate

Now you have your self-signed certificate uploaded and the webGUI can be accessed via HTTPS.

Add the created CA to the trusted CAs of the browser and operating system!

To dismiss the warning of the browser, you have to add an exception or rather add the CA certificate (root.crt) to your trusted CAs.
This is different for every operation system and browser and is therefore not covered here.

If you need scheduled remote assistance, you can request our on-demand support services: https://www.beronet.com/support