Certificate command
When run with necessary options, the trustedge certificate command provides functionality for generating asymmetric keypairs, creating Certificate Signing Requests (CSRs), and submitting CSRs to a Certificate Authority (CA) over SCEP to receive x.509 certificates.
Notice
TrustEdge command line does not support Enrollment over Secure Transport (EST) at this time. EST support will be included in a future update.
Before you begin
Before performing any certificate operations using TrustEdge CLI tool, make sure you set up your keystore and Certificate Signing Request (CSR) configuration file..
Check your current working directory. This is where the
keystore
directory will be created.Note
If you need to navigate to a different directory, use the
cd
command.After confirming or changing your working directory, create the necessary
keystore
structure.mkdir -p keystore/{ca,certs,keys,conf,req}
This command will create the keystore directory in your current working directory. It also creates the following subdirectories as specified in the curly brackets:
ca
: Location for CA certificate.certs
: Location for CEP or RA certificate and XCHG certificate.keys
: Generated keys are saved here.conf
: Location for Certificate Signing Request (CSR) configuration file (.cnf).req
: Signed certificate request is saved here.
Use the following command to create the CSR configuration file
sample_csr.cnf
in thekeystore/conf
directory.echo "##Subject countryName=US commonName=iot-device101 stateOrProvinceName=California localityName=San Francisco organizationName=DBA organizationalUnitName=BU ##Requested Extensions hasBasicConstraints=true isCA=true certPathLen=-1 keyUsage=keyEncipherment, digitalSignature, keyCertSign subjectAltNames=2; *.mydomain.com, 2; *.mydomain.net, 2" > keystore/conf/sample_csr.cnf
Tip
To confirm the creation of directories and files, you can use the
ls -l keystore/*
command.
Use cases and examples
To view the available options for the trustedge certificate command, use the following:
trustedge certificate --help
The trustedge certificate
tool allows you to generate software-based private keys that are used to create Certificate Signing Requests (CSRs) and securing communications. In this workflow, you will learn how to generate an RSA or ECC private key, specify the output format, and if needed protect the key with a password.
Step 1: Choose the algorithm and key parameters
Before generating the key, decide on the type of key (--algorithm <key_type>
) and its parameters, such as key size (--size <size>
) for RSA or the curve (--curve <curve>
)for ECC.
For RSA keys: You will need to specify the key size.
trustedge certificate --key-store-path keystore/ --algorithm RSA --size 2048 --output-file RSA_2048.pem
For ECC keys: You need to specify the curve type.
trustedge certificate --key-store-path keystore/ --algorithm ECC --curve P256 --output-file ECC_P256_PRIV.pem
Step 2 (optional): Generate the public key
If you also want to generate the corresponding public key, you can use the --output-pub-file
option to specify the output file for the public key.
For RSA keys:
trustedge certificate --key-store-path keystore/ --algorithm RSA --size 2048 --output-file RSA_2048.pem --output-pub-file RSA_2048_PUB.pem
For ECC keys:
trustedge certificate --key-store-path keystore/ --algorithm ECC --curve P256 --output-file ECC_P256_PRIV.pem --output-pub-file ECC_P256_PUB.pem
Step 3 (optional): Protect the private key with a password
You can enhance the security of your private key by protecting it with a password using the --protect
option. After running the command, you will be prompted to enter a password to protect the private key.
For RSA keys:
trustedge certificate --key-store-path keystore/ --algorithm RSA --size 2048 --protect --output-file RSA_PW_2048.pem
For ECC keys:
trustedge certificate --key-store-path keystore/ --algorithm ECC --curve P256 --protect --output-file ECC_P256_PW.pem
Step 4: Verify the key creation
After generating the key, you can verify that the file was created by listing the contents of the directory:
ls -l keystore/keys/
This command will display the files in the keystore/keys/
directory, including the newly created private key, and public key if generated.
Tip
After generating a private key, you can use it to sign a Certificate Signing Request (CSR). See Create a Signed Certificate Signing Request (CSR).
A signed Certificate Signing Request (CSR) includes information about your organization and public key and is signed with the corresponding private key to ensure its authenticity. The following steps will guide you through generating a CSR using a CSR configuration file and signing it with either an RSA or ECC private key.
Step 1: Prepare the CSR configuration file
If you haven’t already done so, create a CSR configuration file in the
keystore/conf
directory. Use the following command to generate a sample configuration file:echo "##Subject countryName=US commonName=iot-device101 stateOrProvinceName=California localityName=San Francisco organizationName=DBA organizationalUnitName=BU ##Requested Extensions hasBasicConstraints=true isCA=true certPathLen=-1 keyUsage=keyEncipherment, digitalSignature, keyCertSign subjectAltNames=2; *.mydomain.com, 2; *.mydomain.net, 2" > keystore/conf/sample_csr.cnf
This configuration file will be used to create the CSR.
Check the contents of the CSR configuration file to ensure it contains the correct information.
cat keystore/conf/sample_csr.cnf
Step 2: Generate the CSR
Once the CSR configuration file is ready, you can generate the CSR by specifying the configuration file and signing it with a private key.
Important
Make sure your keystore folder contains the private key (RSA_2048.pem
or ECC_P256.pem
) being used to sign the CSR. See Generate a software-based private key.
For an RSA private key:
trustedge certificate --cert-sign-req --output-file CSR_RSA_2048.pem --key-store-path keystore/ --signing-key RSA_2048.pem --csr-conf sample_csr.cnf --digest SHA256
For an ECC private key:
trustedge certificate --cert-sign-req --output-file CSR_ECC_P256.pem --key-store-path keystore/ --signing-key ECC_P256.pem --csr-conf sample_csr.cnf --digest SHA256
Step 3 (optional): Include a signing certificate
If you need to include a signing certificate with your CSR, you can include the --signing-cert
option. Make sure the specified signing certificate filename is located in the keystore/cert
directory.
For RSA keys with a signing certificate:
trustedge certificate --cert-sign-req --output-file CSR_RSA_2048.pem --key-store-path keystore/ --signing-key RSA_2048.pem --signing-cert RSA_CERT_2048.pem --csr-conf sample_csr.cnf --digest SHA256
For ECC keys with a signing certificate:
trustedge certificate --cert-sign-req --output-file CSR_ECC_P256.pem --key-store-path keystore/ --signing-key ECC_P256.pem --signing-cert ECC_CERT_P256.pem --csr-conf sample_csr.cnf --digest SHA256
Step 4: Verify the CSR
After generating the CSR, you can verify that the file was created by listing the contents of the directory:
ls -l keystore/*
This command will display the all directories and files in the keystore/
directory, including the newly created CSR.
x.509 certificates are used to authenticate devices, secure communications, and verify the integrity of data. The following steps will guide you through generating an x.509 certificate as either a self-signed certificate or using a signing key and CA certificate.
Step 1: Prepare the CSR configuration file
Before generating the x.509 certificate, ensure that you have a properly configured CSR configuration file (.cnf). This file contains the necessary details about the subject (such as country, organization, and common name) and key usage, which will be included in the certificate.
If you haven’t already done so, create a CSR configuration file in the
keystore/conf
directory. Use the following command to generate a sample configuration file:echo "##Subject countryName=US commonName=iot-device101 stateOrProvinceName=California localityName=San Francisco organizationName=DBA organizationalUnitName=BU ##Requested Extensions hasBasicConstraints=true isCA=true certPathLen=-1 keyUsage=keyEncipherment, digitalSignature, keyCertSign subjectAltNames=2; *.mydomain.com, 2; *.mydomain.net, 2" > keystore/conf/sample_csr.cnf
Check the contents of the CSR configuration file to ensure it contains the correct information.
cat keystore/conf/sample_csr.cnf
Step 2: Generate the x.509 certificate
Once the CSR configuration file is ready, you can generate the x.509 certificate by specifying the configuration file and using either a self-signed certificate or an existing signing key and certificate.
To generate a self-signed RSA x.509 certificate:
trustedge certificate --key-store-path keystore/ --algorithm RSA --size 2048 --output-file RSA_CERT_2048.pem --csr-conf sample_csr.cnf --x509-cert RSA_CERT_2048.pem --days 365
To generate a self-signed ECC x.509 certificate:
trustedge certificate --key-store-path keystore/ --algorithm ECC --curve P256 --output-file ECC_CERT_P256.pem --csr-conf sample_csr.cnf --x509-cert ECC_CERT_P256.pem --days 365
Tip
To enhance the security of your private key, you can protect it with a password by including the --protect
option with any of the commands above. After running the command, you will be prompted to enter a password to protect the private key.
Step 3: Verify the certificate creation
After generating the x.509 certificate, verify that the file was created correctly by listing the contents of the directory:
ls -l keystore/certs/
This command will display the files in the keystore/certs/
directory, including the newly created x.509 certificate.
Important
TrustEdge CLI tool certificate command can be built for one and only one of the following: TPM2 (default build of TrustEdge), PKCS11 (which can handle multiple PKCS11 providers simultaneously), or TAP REMOTE.
By using the --tap
option with the trustedge certificate
command, you can generate hardware-based private keys using a Trusted Application Platform (TAP). These keys are securely stored in a hardware module, such as a TPM, and are never exposed in software. The below steps will guide you through generating an RSA or ECC private key using a TAP. See TAP/SMP ASN.1 key format for more details.
Note
TAP-based keys are not available for DSA or QS. For HYBRID keys, only the ECC portion can be TAP-based.
Step 1: Choose the algorithm and key parameters
For RSA keys, specify the key size with
--size <size>
and include the--tap
option.trustedge certificate --key-store-path keystore/ --algorithm RSA --size 2048 --tap --output-file RSA_TAP_2048.pem
For ECC keys, specify the curve type with
--curve <curve>
and include the--tap
option.trustedge certificate --key-store-path keystore/ --algorithm ECC --curve P256 --tap --output-file ECC_TAP_P256.pem
Step 2: Configure optional TAP parameters
You can further customize the TAP key generation by specifying additional TAP-related options, such as key usage or signature schemes.
For RSA keys with specific TAP key usage:
trustedge certificate --key-store-path keystore/ --algorithm RSA --size 2048 --tap --tap-key-usage TAP_KEY_USAGE_SIGNING --output-file RSA_TAP_SIGN_2048.pem
For ECC keys with a specific TAP signature scheme:
trustedge certificate --key-store-path keystore/ --algorithm ECC --curve P256 --tap --tap-sig-scheme TAP_SIG_SCHEME_ECDSA_SHA256 --output-file ECC_TAP_SIGN_P256.pem
Tip
To enhance the security of your private key, you can protect it with a password by including the --protect
option with any of the commands above. After running the command, you will be prompted to enter a password to protect the private key.
Step 3: Verify the key creation
After generating the key, verify that the file was created correctly by listing the contents of the directory:
ls -l keystore/keys/
This command will display the files in the keystore/keys/
directory, including the newly created TAP-protected private key.
TAP/SMP ASN.1 key format
This section describes the ASN.1 module for TAP keys. The PrivateKeyInfo structure is defined in PKCS #8 and includes an algorithm identifier and the private key data, which is wrapped in an OCTET STRING.
These are the Object Identifiers (OIDs) used to build the OIDs in this document:
Note
mocana is 1.3.6.1.4.1.14421
mocana OBJECT IDENTIFIER ::= { iso(1) identified-organization(3) dod(6) internet(1) private(4) enterprise(1) mocana (14421) mocana-tap OBJECT IDENTIFIER ::= { mocana 19 }
When the following OIDs are used in an AlgorithmIdentifier, the parameters MUST be present and MUST be NULL:
mocana-tap-rsakey OBJECT IDENTIFIER ::= { mocana-tap 0x01 } mocana-tap-ecckey OBJECT IDENTIFIER ::= { mocana-tap 0x02 } mocana-tap-dsakey OBJECT IDENTIFIER ::= { mocana-tap 0x03 } mocana-tap-rsaProtectedkey OBJECT IDENTIFIER ::= { mocana-tap 0x21 } mocana-tap-eccProtectedkey OBJECT IDENTIFIER ::= { mocana-tap 0x22 } mocana-tap-dsaProtectedkey OBJECT IDENTIFIER ::= { mocana-tap 0x23 }
Example definitions:
For RSA keys, the PrivateKey will be an OCTET STRING wrapping data encoded as follows:
MocanaTapRSAPrivateKey ::= SEQUENCE { version Version, moduleId ModuleId, modulus INTEGER, publicExponent INTEGER, tapPrivateKey TapPrivateKey }
For ECC keys, the PrivateKey will be an OCTET STRING wrapping data encoded as follows (ECParameters and ECPoint are defined in other standards, such as RFC 5480):
MocanaTapECCPrivateKey ::= SEQUENCE { version Version, moduleId ModuleId, parameters ECParameters, publicKey ECPoint, tapPrivateKey TapPrivateKey }
For DSA keys, the PrivateKey will be an OCTET STRING wrapping data encoded as follows (Dss-Parms and DSAPublicKey are defined in other standards, such as RFC 3279):
MocanaTapDSAPrivateKey ::= SEQUENCE { version Version, moduleId ModuleId, parameters Dss-Parms, publicKey DSAPublicKey, tapPrivateKey TapPrivateKey } Version ::= INTEGER { v1(0) } (v1, ...) ModuleId ::= INTEGER { tpm-1-2(1), tpm-2-0(2) } (tpm-1-2, tpm-2-0, ...) TapPrivateKey ::= OCTET STRING