Generate a x.509 certificate
x.509 certificates are used to authenticate devices, secure communications, and verify the integrity of data. The following steps will guide you through generating an x.509 certificate as either a self-signed certificate or using a signing key and CA certificate.
Important
In production environments, always obtain certificates from a trusted CA, such as DigiCert® Device Trust Manager, using a secure enrollment method. For example, EST enrollment workflow or SCEP enrollment workflow. Self‑signed certificates should be used for testing only.
Before you begin
Make sure you understand the following:
Step 1: Prepare the CSR configuration file
Create a
sample_csr.cnf
Certificate Signing Request (CSR) configuration file in the/etc/digicert/keystoreconf
directory.touch /etc/digicert/keystore/conf/sample_csr.cnf
Add the following sample CSR content to the
sample_csr.cnf
file.##Subject countryName=US commonName=iot-device101 stateOrProvinceName=California localityName=San Francisco organizationName=DBA organizationalUnitName=BU ##Requested Extensions hasBasicConstraints=true isCA=true certPathLen=-1 keyUsage=keyEncipherment, digitalSignature, keyCertSign subjectAltNames=2; *.mydomain.com, 2; *.mydomain.net, 2
Check the contents of the CSR configuration file to ensure it contains the correct information.
cat /etc/digicert/keystore/sample_csr.cnf
Step 2: Generate the x.509 certificate
Once the CSR configuration file is ready, you can generate the x.509 certificate by specifying the configuration file and using either a self-signed certificate or an existing signing key and certificate.
To generate a self-signed RSA x.509 certificate:
trustedge certificate --algorithm RSA --size 2048 --output-file RSA_CERT_2048.pem --csr-conf sample_csr.cnf --x509-cert RSA_CERT_2048.pem --days 365
To generate a self-signed ECC x.509 certificate:
trustedge certificate --algorithm ECC --curve P256 --output-file ECC_CERT_P256.pem --csr-conf sample_csr.cnf --x509-cert ECC_CERT_P256.pem --days 365
Tip
To enhance the security of your private key, you can protect it with a password by including the --protect
option with any of the commands above. After running the command, you will be prompted to enter a password to protect the private key.
Step 3: Verify the certificate creation
After generating the x.509 certificate, verify that the file was created correctly by using the --print-cert
option:
trustedge certificate --print-cert /etc/digicert/keystore/certs/ECC_CERT_P256.pem
This command will display newly created x.509 certificate in a readable format.