Skip to main content

Generate a x.509 certificate

x.509 certificates are used to authenticate devices, secure communications, and verify the integrity of data. The following steps will guide you through generating an x.509 certificate as either a self-signed certificate or using a signing key and CA certificate.

Important

In production environments, always obtain certificates from a trusted CA, such as DigiCert® Device Trust Manager, using a secure enrollment method. For example, EST enrollment workflow or SCEP enrollment workflow. Self‑signed certificates should be used for testing only.

Before you begin

Make sure you understand the following:

Step 1: Prepare the CSR configuration file

  1. Create a sample_csr.cnf Certificate Signing Request (CSR) configuration file in the /etc/digicert/keystoreconf directory.

    touch /etc/digicert/keystore/conf/sample_csr.cnf
  2. Add the following sample CSR content to the sample_csr.cnf file.

    ##Subject
    countryName=US
    commonName=iot-device101
    stateOrProvinceName=California
    localityName=San Francisco
    organizationName=DBA
    organizationalUnitName=BU
    ##Requested Extensions
    hasBasicConstraints=true
    isCA=true
    certPathLen=-1
    keyUsage=keyEncipherment, digitalSignature, keyCertSign
    subjectAltNames=2; *.mydomain.com, 2; *.mydomain.net, 2
    
  3. Check the contents of the CSR configuration file to ensure it contains the correct information.

    cat /etc/digicert/keystore/sample_csr.cnf
    

Step 2: Generate the x.509 certificate

Once the CSR configuration file is ready, you can generate the x.509 certificate by specifying the configuration file and using either a self-signed certificate or an existing signing key and certificate.

  1. To generate a self-signed RSA x.509 certificate:

    trustedge certificate --algorithm RSA --size 2048 --output-file RSA_CERT_2048.pem --csr-conf sample_csr.cnf --x509-cert RSA_CERT_2048.pem --days 365
    
  2. To generate a self-signed ECC x.509 certificate:

    trustedge certificate --algorithm ECC --curve P256 --output-file ECC_CERT_P256.pem --csr-conf sample_csr.cnf --x509-cert ECC_CERT_P256.pem --days 365
    

Tip

To enhance the security of your private key, you can protect it with a password by including the --protect option with any of the commands above. After running the command, you will be prompted to enter a password to protect the private key.

Step 3: Verify the certificate creation

After generating the x.509 certificate, verify that the file was created correctly by using the --print-cert option:

trustedge certificate --print-cert /etc/digicert/keystore/certs/ECC_CERT_P256.pem

This command will display newly created x.509 certificate in a readable format.