Generating Wrapper Service Digital Certificates
Enterprise certificates (signed by an enterprise CA)
Step 1: Generate enterprise CA key and certificate
The CA key and certificate are needed for signing the client certificate. Store them in a safe place.
openssl genrsa -out MyRootCA.key 2048
openssl req -x509 -new -nodes -key MyRootCA.key -sha256 -days 1024 -out MyRootCA.pem
In some deployment scenarios, these two files will be supplied by the IT department of the company that owns the Kiosks. In this case, step 1 can be skipped.
Step 2: Generate client key & certificate signing request (CSR)
openssl genrsa -out kiosk.key 2048
openssl req -new -key kiosk.key -out kiosk.csr
Warning
You will be prompted to input various data (country name, company name, email address etc...). Pay a special attention to the field named CN (Common Name). This should be set so that CN=localhost, because this will be the address where the Kiosk Client will connect to wrapper services.
Step 3: Generate the signed client certificate based on the enterprise CA certificate
To sign the client certificate, you need the CA key and certificate that were generated in step 1 (or supplied by the IT department). Also it is recommended to specify localhost as a Subject Alternative Name to be considered valid.
-
Create a file named san-ext.conf with the following contents:
authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName='DNS:localhost' -
Sign the certificate using the command line below:
openssl x509 -req -in kiosk.csr -CA MyRootCA.pem -CAkey MyRootCA.key -CAcreateserial -out kiosk.pem -days 1024 -sha256 -extfile san-ext.conf
Step 4: Export the client key and signed certificate to a single PFX file
openssl pkcs12 -export -out kiosk.pfx -inkey kiosk.key -in kiosk.pem
You will be requested to provide a password for the PFX file. It can be anything non-empty.
Be sure to not forget this password as you will need it for configuring wrapper services.