Skip to main content

Generate a x.509 certificate

x.509 certificates are used to authenticate devices, secure communications, and verify the integrity of data. The following steps will guide you through generating an x.509 certificate as either a self-signed certificate or using a signing key and CA certificate.

Step 1: Prepare the CSR configuration file

  1. If you haven’t already done so, create a CSR configuration file in the /etc/digicert/keystore directory.

  2. Check the contents of the CSR configuration file to ensure it contains the correct information.

    cat /etc/digicert/keystore/sample_csr.cnf
    

Step 2: Generate the x.509 certificate

Once the CSR configuration file is ready, you can generate the x.509 certificate by specifying the configuration file and using either a self-signed certificate or an existing signing key and certificate.

  1. To generate a self-signed RSA x.509 certificate:

    trustedge certificate --algorithm RSA --size 2048 --output-file RSA_CERT_2048.pem --csr-conf sample_csr.cnf --x509-cert RSA_CERT_2048.pem --days 365
    
  2. To generate a self-signed ECC x.509 certificate:

    trustedge certificate --algorithm ECC --curve P256 --output-file ECC_CERT_P256.pem --csr-conf sample_csr.cnf --x509-cert ECC_CERT_P256.pem --days 365
    

Tip

To enhance the security of your private key, you can protect it with a password by including the --protect option with any of the commands above. After running the command, you will be prompted to enter a password to protect the private key.

Step 3: Verify the certificate creation

After generating the x.509 certificate, verify that the file was created correctly by listing the contents of the directory:

ls -l /etc/digicert/keystore/certs/

This command will display the files in the keystore/certs/ directory, including the newly created x.509 certificate.