Generating Your Own SSL Certificates

SR and SC Series NTP Servers Help and Support: Generating Your Own SSL Certificates
Models that this article applies to:

SR Series: SR9210, SR9750, SR9850, SR9860D
SC Series: SC9205, SC9705

Summary

How to generate and create a self-signed Secure Sockets Layer (SSL) certificate for the SR and SC series NTP servers.

Tips

There are a number of ways in which you can obtain a self-signed SSL certificate:

1. You can pay a 3rd party to generate a certificate for you. Companies such as VeriSign and Thawt will generate and sell you a certificate for your own use.

2. Download and install OpenSSL, open source toolkit, and generate your own SSL certificates. OpenSSL is licensed under an Apache-style licence, which means that you are free to get and use it for commercial or non-commercial purposes subject to some simple licence conditions. OpenSSL can be obtained for both Linux and Windows platforms. For further information on the OpenSSL project please see: https://www.openssl.org

The SR and SC series requires a concatenated certificate file (.pem), which should be uploaded, using FTP or SCP, to the time servers ‘/tmp/admin’ directory.

To create a certificate yourself, using the openssl tool, follow this procedure:

1. Create the key and certificate request:
openssl req -new > cert.csr

Complete requested fields with your information, eg:

Country Name: UK
State/Province: Staffs
Locality Name: Wombourne
Organization Name: TimeTools
Organization Unit Name: Press enter to leave blank.
Common Name: 192.168.0.240
Email Address: info@timetools.co.uk
A Challenge Password: Press enter to leave blank.
Optional company name: TimeTools

IMPORTANT: The requested “Common Name:” is the IP address of the NTP server without any prefix or suffix (eg. 192.168.0.240).

2. Remove the pass phrase from the key:

openssl rsa -in privkey.pem -out key.pem

IMPORTANT: If you create a key that requires a pass phrase, the HTTPS daemon will not start and will prevent correct operation of the unit.

3. Convert the certificate request into a signed certificate:
openssl x509 -in cert.csr -out cert.pem -req -signkey key.pem -days 365

This creates four files, cert.pem, key.pem, cert.csr, privkey.pem . The files you need are cert.pem and key.pem, you can disregard and delete the cert.csr and privkey.pem files.

4. Concatenate the cert.pem and key.pem files to a new file https.pem. It should look something like this:

—–BEGIN PRIVATE KEY—–
#### encryption key information ####
#### encryption key information ####
#### encryption key information ####
#### encryption key information ####
—–END PRIVATE KEY—–

—–BEGIN CERTIFICATE—–
#### encryption key information ####
#### encryption key information ####
#### encryption key information ####
#### encryption key information ####
—–END CERTIFICATE—–

The certificate file then needs to be uploaded to the NTP server and saved to flash so that it is stored when the unit is powered-down.

Using FTP or SCP, upload the certificate file (eg https.pem) to the SR/SC series “/tmp/admin” directory.

From a telnet session, use the ‘savecert <filename.pem>’ function, where <filename.pem> is the file name of your concatenated certificate file (eg https.pem), which will copy the specified .pem file to flash for use by SSL.

If required, the certificate file can be removed and replaced by the default certificate using ‘savecert -remove’.

Share: