Generate a x.509 certificate

x.509 certificates are used to authenticate devices, secure communications, and verify the integrity of data. The following steps will guide you through generating an x.509 certificate as either a self-signed certificate or using a signing key and CA certificate.

Important

In production environments, always obtain certificates from a trusted CA, such as DigiCert® Device Trust Manager, using a secure enrollment method. For example, EST enrollment workflow or SCEP enrollment workflow. Self‑signed certificates should be used for testing only.

Before you begin

Make sure you understand the following:

TrustEdge must be installed on a supported device.
The user running TrustEdge CLI commands must be a member of the trustedge group.
- Use groups "$(whoami)" to see group membership.
- Use sudo adduser "$(whoami)" trustedge to add your user to the trustedge group.
You have an understanding of TrustEdge keystore directory and permissions.

Step 1: Prepare the CSR configuration file

Create a sample_csr.cnf Certificate Signing Request (CSR) configuration file in the /etc/digicert/keystoreconf directory.
```
touch /etc/digicert/keystore/conf/sample_csr.cnf
```

Add the following sample CSR content to the sample_csr.cnf file.

##Subject
countryName=US
commonName=iot-device101
stateOrProvinceName=California
localityName=San Francisco
organizationName=DBA
organizationalUnitName=BU
##Requested Extensions
hasBasicConstraints=true
isCA=true
certPathLen=-1
keyUsage=keyEncipherment, digitalSignature, keyCertSign
subjectAltNames=2; *.mydomain.com, 2; *.mydomain.net, 2

Check the contents of the CSR configuration file to ensure it contains the correct information.
```
cat /etc/digicert/keystore/sample_csr.cnf
```

Step 2: Generate the x.509 certificate

Once the CSR configuration file is ready, you can generate the x.509 certificate by specifying the configuration file and using either a self-signed certificate or an existing signing key and certificate.

To generate a self-signed RSA x.509 certificate:

trustedge certificate --algorithm RSA --size 2048 --output-file RSA_CERT_2048.pem --csr-conf sample_csr.cnf --x509-cert RSA_CERT_2048.pem --days 365

To generate a self-signed ECC x.509 certificate:

trustedge certificate --algorithm ECC --curve P256 --output-file ECC_CERT_P256.pem --csr-conf sample_csr.cnf --x509-cert ECC_CERT_P256.pem --days 365

Tip

To enhance the security of your private key, you can protect it with a password by including the --protect option with any of the commands above. After running the command, you will be prompted to enter a password to protect the private key.

Step 3: Verify the certificate creation

After generating the x.509 certificate, verify that the file was created correctly by using the --print-cert option:

trustedge certificate --print-cert /etc/digicert/keystore/certs/ECC_CERT_P256.pem

This command will display newly created x.509 certificate in a readable format.

In this section: