Creating a root Certificate for offline devices

Most modern browsers and devices will not be able to use web technologies such as configuration websites, or status updates using Socket.IO, or WebRTC without a valid TLS certificate in place.

For machines with internet access, this can be obtained from Let’s Encrypt or similar, and for Enterprise installations it will be possible for a certificate to be generated by the corporate IT department.

For development purposes, it’s possible to self-sign, using dev-certs or similar.

However, for networked machines that do not belong to a local Domain or Workspace, it is harder to provide certificates that will be seen as valid for multiple devices.

In this case, a Root Authority can be created and installed as a Trusted Root. This Root can sign certificates for additional devices, which will all be trusted because the Root is trusted.

Tools needed

A copy of OpenSSL - for Windows https://slproweb.com/products/Win32OpenSSL.html - Linux and Mac often have this already available.

Step One:

Open a command window (Start > Run> cmd) or Terminal.

Create a Private Key for the new Certificate Authority: openssl genrsa -aes256 -out CertificateAuthority.key 4096

image-20240423-174905.png

This will create your Private Key, a new file, named CertificateAuthority.key.

Step Two:

Create a Certificate for the Certificate Authority: openssl req -x509 -new -nodes -key CertificateAuthority.key -sha256 -days 1826 -out CertificateAuthority.crt

image-20240423-175619.png

Step Three:

Create a Certificate for the device or server that needs one: openssl req -new -nodes -out LocalDevice.csr -newkey rsa:4096 -keyout LocalDevice.key -subj "/CN=ServerName/C=US/ST=California/L=Carlsbad/O='GSS'". ServerName should be changed to fit the device’s name.

We are going to add additional details to the certificate such as hostname and IP, because we are running locally and our web browsers won’t have much to work with otherwise.

Create a new text file and paste in the following:

[ req ]
default_md = sha256
prompt = no
req_extensions = req_ext
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
commonName = RyzenDesktop
countryName = US
stateOrProvinceName = California
localityName = Carlsbad
organizationName = Clear-Com LLC
[ req_ext ]
keyUsage=critical,digitalSignature,keyEncipherment
extendedKeyUsage=critical,serverAuth,clientAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.0 = localhost
DNS.1 = asus16.local
IP.0 = 127.0.0.1
IP.1 = ::1
IP.2 = 192.168.86.27
IP.3 = fd17:78f:a624:8441:ca1e:1960:4bc0:b65c

Change all names and details to suit your device and save the file as Extended.txt.

If no errors were shown, there should be a LocalDevice.crt certificate in your directory. Double click to inspect, and make sure that the Subject Alternate Name properties from your text file are present:

Different formats

It is likely that your device will need a different format from .crt. A PFX file can be created as follows: openssl pkcs12 -export -out LocalDevice.pfx -inkey LocalDevice.key -in LocalDevice.crt -certfile CertificateAuthority.crt

 

This will create a PFX file in your directory.

Trusting your new root certificate

As it has just been created, and has no chain of authentication, your new CertificateAuthority.crt will only work if it is added to the Trusted Root certificate store of any machine that needs it.

From the command line, you can use certutil -addstore "Root" CertificateAuthority.crt but it will require running as an Administrator.

Another method is to run certmgr.msc or Start > Manage Computer Certificates.

Expand Trusted Root Certification Authorities and right click on Certificates. Choose All Tasks > Import

 

 

 

 

 

 

Now you can double-click on your local certificate and see it is now trusted by your computer:

 

Be very careful with your certificates. By installing as a Trusted Root all certificates signed by those files will be treated as real and trustworthy by any machines that have your Trusted Root and password.

 

CAN'T FIND YOUR ANSWER? CLICK HERE TO CONTACT SUPPORT


This solution was provided by Clear-Com via a question submitted to us by customers like you. If you wish to share with us a new solution or update an old one, please follow this link..


The information on this page is owned by Clear-Com and constitutes Clear-Com’s confidential and proprietary information, may be used solely for purposes related to the furtherance of Clear-Com’ business and shall not be disclosed, distributed, copied or disseminated without Clear-Com’s prior written consent. Click Here for Clear-Com's privacy statement.