Generate a x.509 certificate
x.509 certificates are used to authenticate devices, secure communications, and verify the integrity of data. The following steps will guide you through generating an x.509 certificate as either a self-signed certificate or using a signing key and CA certificate.
Step 1: Prepare the CSR configuration file
If you haven’t already done so, create a CSR configuration file in the
/etc/digicert/keystore
directory.Check the contents of the CSR configuration file to ensure it contains the correct information.
cat /etc/digicert/keystore/sample_csr.cnf
Step 2: Generate the x.509 certificate
Once the CSR configuration file is ready, you can generate the x.509 certificate by specifying the configuration file and using either a self-signed certificate or an existing signing key and certificate.
To generate a self-signed RSA x.509 certificate:
trustedge certificate --algorithm RSA --size 2048 --output-file RSA_CERT_2048.pem --csr-conf sample_csr.cnf --x509-cert RSA_CERT_2048.pem --days 365
To generate a self-signed ECC x.509 certificate:
trustedge certificate --algorithm ECC --curve P256 --output-file ECC_CERT_P256.pem --csr-conf sample_csr.cnf --x509-cert ECC_CERT_P256.pem --days 365
Tip
To enhance the security of your private key, you can protect it with a password by including the --protect
option with any of the commands above. After running the command, you will be prompted to enter a password to protect the private key.
Step 3: Verify the certificate creation
After generating the x.509 certificate, verify that the file was created correctly by listing the contents of the directory:
ls -l /etc/digicert/keystore/certs/
This command will display the files in the keystore/certs/
directory, including the newly created x.509 certificate.