Creating a certificate and key

How to create a *.pem-file

There are many ways to create a key and a certificate.  One convenient option is provided by the freeware tool X Certificate and Key Management.  In addition to creating valid certificates, this tool also offers options for creating necessary keys at the same time. The created files can then be exported in the correct format. Furthermore, this tool comes with a small database that can be used to manage all keys and certificates in a clear and concise manner:

• Easy handling
• Fast key and certificate creation (administration)
• This tool is available for Windows, Apple and Linux.

Download and Installation

The tool is available via several download sources, a good and clear download is provided by the developer themselves:

https://hohnstaedt.de/xca/

Please note that download links may change over time and need to be adjusted accordingly.
The setup file contains an installer that guides you through the installation process. Furthermore, this tutorial is based on version 2.4.0! Later versions may differ – keep in mind that you may need to adapt your settings.

Creating a Database
This is optional: If you need a one-time self-signed certificate on site, you may choose to skip this step. However, if you would like to generate further certificates at a later date, then it is recommended that you briefly create a local database in which your keys and certificates are stored:

As the next step, start the tool and select “Open Database” and select the database you want to use to generate new certificates and keys. This will help in case of complex key / certificate setups.

Note: Shall I set a database password?

The tool will ask whether the database should be secured by a password in order to protect against it unauthorized access. This does not harm or effect the keys and certificates created with the tool!

When running the program after installation, it is simply empty, which means there are no sample files to look at first. So open the tab "Certificates" and click on "New Certificate."

This will trigger a configuration dialogue that will help you to create a self-signed certificate. This tutorial will show you how to use the basic settings needed for CS141. If more or other features are required, please refer to your local system administrator.

Settings at Source:

At Signing, please select „Create a self signed certificate“

Remember to check whether the default EMPTY TEMPLATE is also active:

Ignore all other settings; the software works perfectly out of the box.

Settings at Subject:

At the tab "Subject", you need to do some configuration work to personalize your certificate.

Internal Name:

This entry is for internal use only. If a database is available, the tool safe this name and  show this at the main window.

Distinguished name

Personalize your certificate by filling up the fields. Keep in mind, for a host certificate, the "commonName" must be the FQDN (Full Qualified Domain Name) you want to use the certificate for.

Generate or choose the key fort Key for your certificate

Either select the key you want to use, or - if you have not yet generated a key - click on "Generate a new key" to make it so:

Click on "Create" to build the key. It should now be automatically selected at “Private Key”:

Settings at Extentions:

For this tutorial, the only setting you need to change, is „Validity”: This configuration determines how long your certificate will be valid and can be used. As a standard, devices can be configured to reject invalid certificates. Adapt the time settings to fit to your IT security guidelines.

Create the certificate:

This is quite simple: If the configuration is done, simply click OK to generate the certificate. Since there are no further optional extensions added to the certificate, the tool will ask you to verify that the certificate will be carried out correct.

Since we know, it is correct in this case, click Continue rollout and move on:

The certificate will appear at “Certificates” and ready to use.

Export the certificate

Now, the recently created certificate should appear in the Certificates tab.
To export the certificate:

1. Select the certificate from the list.

2. Click Export.

3. In the export dialog, choose PEM + Key (*.pem) as the export format.

4. Rename the exported file to server.pem – this is the required file name for the CS141.

Check the server.pem

Open the PEM file with a simple text editor. It should look like this:

Note: Can I use another tool than this one?
Yes, you can! The tool presented is merely an example to show and explain how to create a basic pem-file. For more functions and options that your IT infrastructure may require, please refer to your local administrator.

Uploading the certificate to the CS141

Open the web interface of the CS141:

Then go to Services > Webserver

Drag and drop the file server.pem into the appropriate upload box and click Upload.
After the upload, the CS141 must be rebooted to import and activate the certificate. Go to System > Tools and click Reboot. Since the UPS is a completely separate device, this button restarts only the CS141.

After the reboot, you can verify the installation by testing it with:

http://<your IP-Address>

https://<your IP-Address>

If both URLs are accessible and work as expected, you may enable explicit HTTPS encryption by selecting Force HTTPS.