SSL Certificate Generation Application using a Self-Signed Certificate Authority Certificate
Overview
The simple auto-generate self-signed certificate example is the most common method used for most applications. This example provides advanced users with a demonstration of how to write their own onboard certificate generation function. including signing the generated certificate with a compiled in Certificate Authority certificate. To understand how to generate Certificate Authority certificate as well as how to compile it into your program, please see our documentation on creating self-signed certificates, found in the Programmers Guide and other SSL examples.
If you generate your own Certificate Authority (CA) for any network device you must accept responsibility for the security of the CA certificate. If a malicious party obtains your CA from the device or any other means, they will be able to use it to create their own "trusted" certificate and access your devices. This may be less of an issue if you are operating on a closed/private network, rather than devices on the Internet.
- Note
- This example demonstrates advanced certificate generation techniques beyond the simple self-signed approach. It requires familiarity with the wolfSSL API for full customization. Refer to the NetBurner Programmer's Guide for additional details on Certificate Authority creation and compilation.
Features
- Automatic Certificate Generation: Creates self-signed SSL certificates with ECC keys
- Certificate Authority Support: Signs certificates with a compiled-in Certificate Authority
- Interactive Menu System: Command-line interface for certificate management
- Time Synchronization: NTP-based time setting with manual fallback
- Certificate Validation: Checks certificate validity and expiration status
- Web Server Integration: Supports both HTTP and HTTPS connections
- Configurable Parameters: Customizable certificate attributes (country, state, organization, etc.)
Application Components
Main Application (main.cpp)
The core application provides:
- Interactive menu for certificate operations
- System time configuration
- HTTP/HTTPS web server startup
- Certificate creation and validation workflows
Certificate Generation (CertGen.cpp)
Custom certificate generation implementation that:
- Creates ECC private keys with configurable key sizes
- Generates certificates signed by a compiled Certificate Authority
- Supports various ECC curves (secp256r1, secp384r1, secp521r1, etc.)
- Implements proper error handling and cleanup
- Stores certificates and keys in device flash memory
Certificate Authority (CaCrt.cpp)
Contains a compiled-in Certificate Authority certificate for signing generated certificates. This CA is embedded as a byte array in the application.
Time Utilities (TimeUtil.cpp/TimeUtil.h)
Provides comprehensive time management:
- NTP synchronization with fallback to manual entry
- Time zone configuration with automatic daylight savings
- System time display and formatting functions
Security Considerations
Important**: When using a custom Certificate Authority, you must secure the CA certificate. If compromised, an attacker could create trusted certificates to access your devices. This risk is reduced in closed/private networks compared to Internet-facing deployments.
Interactive Menu Options
- Check Certificate Expiration - Verify if the current certificate is expired
- Show Certificate Expiration - Display the certificate expiration date
- Generate New Certificate - Create a new certificate/key pair
- Erase Certificate - Remove existing certificates (requires reboot)
- Display System Time - Show current system time and date
- Reboot - Restart the device
Certificate Configuration
Default certificate attributes can be customized in the GetDataForCertGen() function:
- Country: US
- State: CA (California)
- Locality: San Diego
- Organization: NetBurner
- Unit: CodeDemo
- Email: Sales.nosp@m.@Net.nosp@m.Burne.nosp@m.r.co.nosp@m.m
- Common Name: MyNetburner
- Validity Period: 1 year
- Alternative Names: Device IP address (both as IP and DNS entry)
Key Features
ECC Key Generation
- Supports multiple ECC curves based on
DEFAULT_KEY_TYPE
- Key sizes: 24-66 bytes depending on curve selection
- Hardware random number generation on supported platforms
- Secure key storage in device flash memory
Certificate Signing
- Uses compiled Certificate Authority for signing
- SHA256 with RSA signature algorithm
- Proper ASN.1 DER encoding
- Alternative names support for IP and DNS entries
Time Management
- Automatic NTP synchronization from pool.ntp.org
- Manual time entry fallback if NTP fails
- Time zone support with daylight savings calculation
- Minimum time validation for certificate generation
Web Server Access
Once running, the device can be accessed via:
- HTTP:
http://[device-ip]
- HTTPS:
https://[device-ip]
- Configuration:
http://[device-ip]:20034 or https://[device-ip]:20034
- Discovery service: discover.netburner.com (if Internet access available)
Build Requirements
- NetBurner NNDK (NetBurner Network Development Kit)
- wolfSSL cryptographic library
- Compatible NetBurner hardware platform (MODM7AE70 recommended for hardware RNG)
Usage Notes
- Random Number Generation: The application waits for valid entropy before generating keys. Network traffic helps build entropy on Coldfire platforms.
- System Time: Accurate time is required for certificate generation and validation. The application attempts NTP synchronization first, then falls back to manual entry.
- Memory Management: The application uses dynamic memory allocation for cryptographic operations and implements proper cleanup on errors.
- Certificate Storage: Generated certificates and keys are stored in device flash memory and persist across reboots.
Error Handling
The application includes comprehensive error handling for:
- Memory allocation failures
- Cryptographic operation errors
- Certificate generation and signing failures
- File system operations
- Network connectivity issues
