Skip to main content

Certificate command

When run with necessary options, the trustedge certificate command provides functionality for generating asymmetric keypairs, creating Certificate Signing Requests (CSRs), and submitting CSRs to a Certificate Authority (CA) over SCEP to receive x.509 certificates.

Notice

TrustEdge command line does not support Enrollment over Secure Transport (EST) at this time. EST support will be included in a future update.

Before you begin

Before performing any certificate operations using TrustEdge CLI tool, make sure you set up your keystore and Certificate Signing Request (CSR) configuration file..

  1. Check your current working directory. This is where the keystore directory will be created.

    Note

    If you need to navigate to a different directory, use the cd command.

  2. After confirming or changing your working directory, create the necessary keystore structure.

    mkdir -p keystore/{ca,certs,keys,conf,req}

    This command will create the keystore directory in your current working directory. It also creates the following subdirectories as specified in the curly brackets:

    • ca: Location for CA certificate.

    • certs: Location for CEP or RA certificate and XCHG certificate.

    • keys: Generated keys are saved here.

    • conf: Location for Certificate Signing Request (CSR) configuration file (.cnf).

    • req: Signed certificate request is saved here.

  3. Use the following command to create the CSR configuration file sample_csr.cnf in the keystore/conf directory.

    echo "##Subject
    countryName=US
    commonName=iot-device101
    stateOrProvinceName=California
    localityName=San Francisco
    organizationName=DBA
    organizationalUnitName=BU
    ##Requested Extensions
    hasBasicConstraints=true
    isCA=true
    certPathLen=-1
    keyUsage=keyEncipherment, digitalSignature, keyCertSign
    subjectAltNames=2; *.mydomain.com, 2; *.mydomain.net, 2" > keystore/conf/sample_csr.cnf

    Tip

    To confirm the creation of directories and files, you can use the ls -l keystore/* command.

Use cases and examples

To view the available options for the trustedge certificate command, use the following:

trustedge certificate --help

The trustedge certificate tool allows you to generate software-based private keys that are used to create Certificate Signing Requests (CSRs) and securing communications. In this workflow, you will learn how to generate an RSA or ECC private key, specify the output format, and if needed protect the key with a password.

Step 1: Choose the algorithm and key parameters

Before generating the key, decide on the type of key (--algorithm <key_type>) and its parameters, such as key size (--size <size>) for RSA or the curve (--curve <curve>)for ECC.

  1. For RSA keys: You will need to specify the key size.

    trustedge certificate --key-store-path keystore/ --algorithm RSA --size 2048 --output-file RSA_2048.pem
    
  2. For ECC keys: You need to specify the curve type.

    trustedge certificate --key-store-path keystore/ --algorithm ECC --curve P256 --output-file ECC_P256_PRIV.pem
    

Step 2 (optional): Generate the public key

If you also want to generate the corresponding public key, you can use the --output-pub-file option to specify the output file for the public key.

  1. For RSA keys:

    trustedge certificate --key-store-path keystore/ --algorithm RSA --size 2048 --output-file RSA_2048.pem --output-pub-file RSA_2048_PUB.pem
    
  2. For ECC keys:

    trustedge certificate --key-store-path keystore/ --algorithm ECC --curve P256 --output-file ECC_P256_PRIV.pem --output-pub-file ECC_P256_PUB.pem
    

Step 3 (optional): Protect the private key with a password

You can enhance the security of your private key by protecting it with a password using the --protect option. After running the command, you will be prompted to enter a password to protect the private key.

  1. For RSA keys:

    trustedge certificate --key-store-path keystore/ --algorithm RSA --size 2048 --protect --output-file RSA_PW_2048.pem
    
  2. For ECC keys:

    trustedge certificate --key-store-path keystore/ --algorithm ECC --curve P256 --protect --output-file ECC_P256_PW.pem
    

Step 4: Verify the key creation

After generating the key, you can verify that the file was created by listing the contents of the directory:

ls -l keystore/keys/

This command will display the files in the keystore/keys/ directory, including the newly created private key, and public key if generated.

Tip

After generating a private key, you can use it to sign a Certificate Signing Request (CSR). See Create a Signed Certificate Signing Request (CSR).

A signed Certificate Signing Request (CSR) includes information about your organization and public key and is signed with the corresponding private key to ensure its authenticity. The following steps will guide you through generating a CSR using a CSR configuration file and signing it with either an RSA or ECC private key.

Step 1: Prepare the CSR configuration file

  1. If you haven’t already done so, create a CSR configuration file in the keystore/conf directory. Use the following command to generate a sample configuration file:

    echo "##Subject
    countryName=US
    commonName=iot-device101
    stateOrProvinceName=California
    localityName=San Francisco
    organizationName=DBA
    organizationalUnitName=BU
    ##Requested Extensions
    hasBasicConstraints=true
    isCA=true
    certPathLen=-1
    keyUsage=keyEncipherment, digitalSignature, keyCertSign
    subjectAltNames=2; *.mydomain.com, 2; *.mydomain.net, 2" > keystore/conf/sample_csr.cnf
    

    This configuration file will be used to create the CSR.

  2. Check the contents of the CSR configuration file to ensure it contains the correct information.

    cat keystore/conf/sample_csr.cnf
    

Step 2: Generate the CSR

Once the CSR configuration file is ready, you can generate the CSR by specifying the configuration file and signing it with a private key.

Important

Make sure your keystore folder contains the private key (RSA_2048.pem or ECC_P256.pem) being used to sign the CSR. See Generate a software-based private key.

  1. For an RSA private key:

    trustedge certificate --cert-sign-req --output-file CSR_RSA_2048.pem --key-store-path keystore/ --signing-key RSA_2048.pem --csr-conf sample_csr.cnf --digest SHA256
    
  2. For an ECC private key:

    trustedge certificate --cert-sign-req --output-file CSR_ECC_P256.pem --key-store-path keystore/ --signing-key ECC_P256.pem --csr-conf sample_csr.cnf --digest SHA256
    

Step 3 (optional): Include a signing certificate

If you need to include a signing certificate with your CSR, you can include the --signing-cert option. Make sure the specified signing certificate filename is located in the keystore/cert directory.

  1. For RSA keys with a signing certificate:

    trustedge certificate --cert-sign-req --output-file CSR_RSA_2048.pem --key-store-path keystore/ --signing-key RSA_2048.pem --signing-cert RSA_CERT_2048.pem --csr-conf sample_csr.cnf --digest SHA256
    
  2. For ECC keys with a signing certificate:

    trustedge certificate --cert-sign-req --output-file CSR_ECC_P256.pem --key-store-path keystore/ --signing-key ECC_P256.pem --signing-cert ECC_CERT_P256.pem --csr-conf sample_csr.cnf --digest SHA256
    

Step 4: Verify the CSR

After generating the CSR, you can verify that the file was created by listing the contents of the directory:

ls -l keystore/*

This command will display the all directories and files in the keystore/ directory, including the newly created CSR.

x.509 certificates are used to authenticate devices, secure communications, and verify the integrity of data. The following steps will guide you through generating an x.509 certificate as either a self-signed certificate or using a signing key and CA certificate.

Step 1: Prepare the CSR configuration file

Before generating the x.509 certificate, ensure that you have a properly configured CSR configuration file (.cnf). This file contains the necessary details about the subject (such as country, organization, and common name) and key usage, which will be included in the certificate.

  1. If you haven’t already done so, create a CSR configuration file in the keystore/conf directory. Use the following command to generate a sample configuration file:

    echo "##Subject
    countryName=US
    commonName=iot-device101
    stateOrProvinceName=California
    localityName=San Francisco
    organizationName=DBA
    organizationalUnitName=BU
    ##Requested Extensions
    hasBasicConstraints=true
    isCA=true
    certPathLen=-1
    keyUsage=keyEncipherment, digitalSignature, keyCertSign
    subjectAltNames=2; *.mydomain.com, 2; *.mydomain.net, 2" > keystore/conf/sample_csr.cnf
    
  2. Check the contents of the CSR configuration file to ensure it contains the correct information.

    cat keystore/conf/sample_csr.cnf
    

Step 2: Generate the x.509 certificate

Once the CSR configuration file is ready, you can generate the x.509 certificate by specifying the configuration file and using either a self-signed certificate or an existing signing key and certificate.

  1. To generate a self-signed RSA x.509 certificate:

    trustedge certificate --key-store-path keystore/ --algorithm RSA --size 2048 --output-file RSA_CERT_2048.pem --csr-conf sample_csr.cnf --x509-cert RSA_CERT_2048.pem --days 365
    
  2. To generate a self-signed ECC x.509 certificate:

    trustedge certificate --key-store-path keystore/ --algorithm ECC --curve P256 --output-file ECC_CERT_P256.pem --csr-conf sample_csr.cnf --x509-cert ECC_CERT_P256.pem --days 365
    

Tip

To enhance the security of your private key, you can protect it with a password by including the --protect option with any of the commands above. After running the command, you will be prompted to enter a password to protect the private key.

Step 3: Verify the certificate creation

After generating the x.509 certificate, verify that the file was created correctly by listing the contents of the directory:

ls -l keystore/certs/

This command will display the files in the keystore/certs/ directory, including the newly created x.509 certificate.

Important

TrustEdge CLI tool certificate command can be built for one and only one of the following: TPM2 (default build of TrustEdge), PKCS11 (which can handle multiple PKCS11 providers simultaneously), or TAP REMOTE.

By using the --tap option with the trustedge certificate command, you can generate hardware-based private keys using a Trusted Application Platform (TAP). These keys are securely stored in a hardware module, such as a TPM, and are never exposed in software. The below steps will guide you through generating an RSA or ECC private key using a TAP. See TAP/SMP ASN.1 key format for more details.

Note

TAP-based keys are not available for DSA or QS. For HYBRID keys, only the ECC portion can be TAP-based.

Step 1: Choose the algorithm and key parameters

  1. For RSA keys, specify the key size with --size <size> and include the --tap option.

    trustedge certificate --key-store-path keystore/ --algorithm RSA --size 2048 --tap --output-file RSA_TAP_2048.pem
    
  2. For ECC keys, specify the curve type with --curve <curve> and include the --tap option.

    trustedge certificate --key-store-path keystore/ --algorithm ECC --curve P256 --tap --output-file ECC_TAP_P256.pem
    

Step 2: Configure optional TAP parameters

You can further customize the TAP key generation by specifying additional TAP-related options, such as key usage or signature schemes.

  1. For RSA keys with specific TAP key usage:

    trustedge certificate --key-store-path keystore/ --algorithm RSA --size 2048 --tap --tap-key-usage TAP_KEY_USAGE_SIGNING --output-file RSA_TAP_SIGN_2048.pem
    
  2. For ECC keys with a specific TAP signature scheme:

    trustedge certificate --key-store-path keystore/ --algorithm ECC --curve P256 --tap --tap-sig-scheme TAP_SIG_SCHEME_ECDSA_SHA256 --output-file ECC_TAP_SIGN_P256.pem
    

Tip

To enhance the security of your private key, you can protect it with a password by including the --protect option with any of the commands above. After running the command, you will be prompted to enter a password to protect the private key.

Step 3: Verify the key creation

After generating the key, verify that the file was created correctly by listing the contents of the directory:

ls -l keystore/keys/

This command will display the files in the keystore/keys/ directory, including the newly created TAP-protected private key.

TAP/SMP ASN.1 key format

This section describes the ASN.1 module for TAP keys. The PrivateKeyInfo structure is defined in PKCS #8 and includes an algorithm identifier and the private key data, which is wrapped in an OCTET STRING.

These are the Object Identifiers (OIDs) used to build the OIDs in this document:

Note

mocana is 1.3.6.1.4.1.14421

mocana OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1)
mocana (14421)
mocana-tap OBJECT IDENTIFIER ::= { mocana 19 }

When the following OIDs are used in an AlgorithmIdentifier, the parameters MUST be present and MUST be NULL:

mocana-tap-rsakey OBJECT IDENTIFIER ::= { mocana-tap 0x01 }
mocana-tap-ecckey OBJECT IDENTIFIER ::= { mocana-tap 0x02 }
mocana-tap-dsakey OBJECT IDENTIFIER ::= { mocana-tap 0x03 }

mocana-tap-rsaProtectedkey OBJECT IDENTIFIER ::= { mocana-tap 0x21 }
mocana-tap-eccProtectedkey OBJECT IDENTIFIER ::= { mocana-tap 0x22 }
mocana-tap-dsaProtectedkey OBJECT IDENTIFIER ::= { mocana-tap 0x23 }

Example definitions:

For RSA keys, the PrivateKey will be an OCTET STRING wrapping data encoded as follows:

MocanaTapRSAPrivateKey ::= SEQUENCE {
  version Version,
  moduleId ModuleId,
  modulus INTEGER,
  publicExponent INTEGER,
  tapPrivateKey TapPrivateKey
}

For ECC keys, the PrivateKey will be an OCTET STRING wrapping data encoded as follows (ECParameters and ECPoint are defined in other standards, such as RFC 5480):

MocanaTapECCPrivateKey ::= SEQUENCE {
  version Version,
  moduleId ModuleId,
  parameters ECParameters,
  publicKey ECPoint,
  tapPrivateKey TapPrivateKey
}

For DSA keys, the PrivateKey will be an OCTET STRING wrapping data encoded as follows (Dss-Parms and DSAPublicKey are defined in other standards, such as RFC 3279):

MocanaTapDSAPrivateKey ::= SEQUENCE {
  version Version,
  moduleId ModuleId,
  parameters Dss-Parms,
  publicKey DSAPublicKey,
  tapPrivateKey TapPrivateKey
}

Version ::= INTEGER { v1(0) } (v1, ...)
ModuleId ::= INTEGER {
  tpm-1-2(1),
  tpm-2-0(2)
} (tpm-1-2, tpm-2-0, ...)
TapPrivateKey ::= OCTET STRING