Self-Signed Certificate Generation
Self-signed certificates are not recommended to be used in production environments. For production environments, it is advisable to use a trusted certificate issuer. This section outlines a practical way to generate a self-signed certificate for test and demo purposes. |
The following instructions show how a self-signed certificate suitable for a NOM environment can be generated using the OpenSSL library. Compatible self-signed certificates, generated using other libraries or online tools also work with NOM.
-
Ensure the OpenSSL library is installed.
Commands used in these instructions were tested with OpenSSL 3.1.1. To check the version of OpenSSL, use the following command:
openssl version
-
Create self-signed certificate
Example: to generate a self-signed certificate for common name
localhost
, which could either be accessed through DNS names of 'localhost.localdomain' or 'my.custom.domain', or with IP addresses of '127.0.0.1' or '192.168.100.5':openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -subj "/CN=localhost" \ -addext "subjectAltName = DNS:localhost.localdomain, DNS:my.custom.domain, IP:127.0.0.1, IP:192.168.100.5" \ -addext "keyUsage = critical, digitalSignature, keyEncipherment" \ -addext "extendedKeyUsage = serverAuth" \ -addext "authorityKeyIdentifier = keyid:always,issuer:always" \ -keyout "server.key" \ -out "server.cer"
As a result, files
server.key
andserver.cer
are created in the current directory.Important parameters:
-
-subj "…"
: use to specify the common name -
-addext "subjectAltName = …"
: use to specify alternative DNS name(s) and/or IP address(es)
-
-
Convert the generated certificate to the PFX format, specifying a password for the certificate store generated in
server.pfx
:openssl pkcs12 -export \ -inkey "server.key" \ -in "server.cer" \ -out "server.pfx" \ -password "pass:changeit"
To avoid specifying the store password on the command line, omit the |
You can then use the files server.cer
and server.pfx
to configure the server and agents for TLS encrypted communication.