Skip to content

Certificate Management Using OpenSSL

The UIP system should be configured with a server certificate so that clients can establish a trusted and secure connection to it.

Important

Certificates issued by widely-trusted certificate authorities expire after 397 days (13 months) so they must be updated annually. Administrators should include this in their annual maintenance planning for the UIP system.

Ideally a server certificate should be purchased from a commercial vendor that controls a widely-trusted root certificate authority (CA). If this is done most UIP clients will trust the server certificate by default. This is the recommend method for obtaining a server certificate.

Some organizations may prefer to use their own in-house certificate authority service. In this case a certificate signing request is typically sent to an organization's IT department and they will create a certificate that is signed using their own private root CA. If this is done it may be necessary to install the applicable root CA certificate on some UIP clients.

If it is not practical to obtain a server certificate from an existing CA the final option is to create a new self-signed root CA certificate and then use the new CA to create a server certificate. If this is done extra steps will be needed to distribute the new self-signed root CA to all UIP client machines. This is the most complex method for configuring secure client access to UIP.

Important

The example commands provided below are provided as a reference and not intended to be used as-written in production environments. They are intended to be executed on an Ubuntu server such as the UIP host machine. Always consult with the applicable organization's IT department and follow their recommendations for securing web servers for HTTPS/TLS.

How to create root CA private key and certificate

The following commands will create a root CA which can be used to create server certificates. The generated "rootca.crt" CA certificate file should be installed into the trusted root certificate authorities of any client machine that needs to trust certificates authored by this root CA. The generated "rootca.key" private key file should be kept in a secure location. It will be needed each time you need to create or renew server certificates using this root CA.

openssl genrsa -out "rootca.key" -des3 4096

openssl req -new -out "rootca.crt" -key "rootca.key" -x509 -nodes -sha256 -days 1825

How to create server private key and certificate signing request

The following commands will create a certificate signing request (CSR). In this example we request a certificate that will be valid for multiple subject alternative name (SAN/subjectAltName) values.

openssl genrsa -out "server.key" 4096

openssl req -new -out "server.csr" -key "server.key" -config <(printf "[req] \n prompt=no \n utf8=yes \n distinguished_name=dn_details \n req_extensions=san_details \n [dn_details] \n C=Your Country \n ST=Your State \n L=Your Locality \n O=Your Organization \n OU=Your Organizational Unit \n CN=Your Server Common Name \n [san_details] \n subjectAltName=DNS:Your.DNS.Name,IP:1.1.1.1,IP:2.2.2.2")

The common name (CN=) in the CSR [dn_details] section must be different than the common name used in your CA certificate. The generated "server.csr" can be sent to a CA and they will use it to generate a server certificate file for you. The generated "server.key" private key file should be kept in a secure location. It will be needed to be imported into the UIP Administration > Client Access page along with the server certificate file and any intermediate CA files sent to you from the CA.

How to generate server certificate using CSR and self-signed CA

The following commands will create a server certificate that is authored by your self-signed root CA.

openssl x509 -req -out "server.crt" -in "server.csr" -CA "rootca.crt" -CAkey "rootca.key" -CAcreateserial -sha256 -days 390 -extfile <(printf "authorityKeyIdentifier=keyid,issuer \n basicConstraints=CA:FALSE \n keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment \n subjectAltName=DNS:Your.DNS.Name,IP:1.1.1.1,IP:2.2.2.2")

The generated "server.crt" will be imported into the UIP Administration > Client Access page along with the server private key that was used to generate to CSR.

  • Client Access - secure client connections to the system

  • Trusted CA - allow the system to securely connect to external services