This Configuration Guide shows how to create a certificate structure using the tool XCA.

Certificates or a certificate structure are necessary for various router applications including:

Situation

You want to set up a VPN network or a protected connection and need a certificate structure for authentication and encryption purposes.

Solution

The following describes how to create a complete certificate structure consisting of CA certificate, server certificate and key, client certificate and key as well as a certificate revocation list (CRL). Depending on your application, you might not need all of them.

It is prerequisite that you have downloaded and installed the XCA tool on your computer. It is also prerequisite that time and date of the PC are correct. [1]

The generation of a Diffie-Hellman parameter set using XCA (menu File –> Generate DH parameter) is not described here, because a Diffie-Hellman parameter set is already stored on the router and can be downloaded in the AdministrationCertificates menu ().

Preliminary steps

A database must be created first before creating the certificate structure. The certificate templates help to keep consistency when creating the certificates.

  1. To create a database, open XCA and select FileNew dataBase.

  2. Enter a filename and specify a proper directory for the XCA database.

  3. Enter a password twice and click on OK to create the database. [2]

Creating certificate templates

Templates can be used to store common information for all certificates and facilitate certificate creation.

  1. To create a CA certificate template, open XCA, change to the Templates tab and click on New Template.

  2. Select CA in the template value selection window and click on OK.

  3. Specify your default values for the CA template without specifying a commonName.

  4. Change to the Extensions tab, adjust the validity period of the certificate by entering a time range, if required, and click on OK. [3]

  5. Confirm the template creation with OK. [4]

  6. Repeat the previous steps accordingly to create a server template and a client template.

If you want to create special templates for certificates that can be used for encrypting or signing update packets for INSYS routers, you need to specify an additional key usage for these certificates. If you want to create these certificates from regular templates, you need to specify the key usage during certificate creation below. In order to specify the key usage, change to the Key usage tab and select the appropriate X509v3 Key Usage. The certificate for encryption must have set the extension (Key Usage) Data Encipherment and the certificate for the signature Digital Signature. This is described in detail in Signing and encrypting update packets.

Creating the certificates and keys

You need a Common Name for the certificate generation. The Common Name is the unique member name of a participant in the secured network and is used for routing into the client networks for example. The Common Name must only be used for one participant and cannot be changed any more after the generation. Observe the capitalization for the Common Name and preferably use only one of these possibilities consistently. The maximum length of the Common Name for an INSYS Smart Device is 29 characters.

Creating a CA certificate and key

  1. To create a CA certificate and key, change to the Certificates tab and click on New Certificate.

  2. Select above created CA template under Template for the new certificate.

  3. Click on Apply all to enter the data from the template in the form.

  4. Change to the Subject tab, specify the commonName and assign this also as Internal name.

  5. Click on Generate a new key.

  6. Preferably use the commonName as Name, too and click on Create.

  7. Confirm the key creation with OK.

  8. Click on OK and confirm again with OK to complete the creation of the CA certificate.

Creating server and client certificates and keys

  1. To create a server certificate and key, change to the Certificates tab and click on New Certificate.

  2. In the Signing section, select Use this certificate for signing and above created CA certificate.

  3. Select above created server template under Template for the new certificate.

  4. Click on Apply all to enter the data from the template in the form.

  5. Change to the Subject tab, specify the commonName and assign this also as Internal name.

  6. Click on Generate a new key.

  7. Preferably use the commonName as Name, too and click on Create.

  8. Confirm the key creation with OK.

  9. Click on OK and confirm again with OK to complete the creation of the server certificate.

  10. Repeat the previous steps accordingly to create the necessary number of client certificates.

On the Certificates tab in XCA, click on in front of the CA certificate in the overview to display all certificates created with this CA.

Exporting the certificates and keys

The certificates and keys created with XCA are stored in the respective XCA database. In order to upload the certificates and keys to the respective routers, browsers, etc., these must be exported. XCA offers different file formats for export. We describe the export to the data format PKCS#12 here, because this is suitable for all INSYS Smart Devices. In addition, PKCS#12 allows to export complete key pairs into a container, which reduces the upload effort. Since the certificate chain can also be exported, the CA certificate does not have to be exported separately. A password protection can be applied.

Never export the CA’s private key, because this is essential for the security of the VPN network.
  1. To export a certificate and key, change to the Certificates tab, highlight the certificate to be exported in the overview and click on Export.

  2. In the Certificate export window, specify a path and file name.

  3. Select PKCS#12 chain as Export format and click on OK.

  4. In the Password window, specify a password if you want to enhance the security of the certificate file transmission [5] and click on OK to export the certificate. [6]

  5. Repeat the previous steps accordingly to export all desired certificates.

Revoking certificates using a CRL

It is possible to create a Certificate Revocation List (CRL), which contains the revoked certificates. If certificates have to be revoked before their expiry (due to misuse for example), they can be entered into this list. Every updated list must then be uploaded to the device, which controls access.

  1. To revoke a certificate, change to the Certificates tab, right-click the certificate to be revoked in the overview and select Revoke in the context menu.

  2. In the Certificate revocation window, adjust the time of invalidity, enter an optional Revocation reason and click on OK to add this certificate to the CRL.

  3. To create a CRL, change to the Certificates tab, right-click the CA certificate (!) and select CA Generate CRL_ in the context menu.

  4. In the Create CRL window, click on OK to create the CRL.

  5. Confirm the CRL creation with OK. [7]

  6. To export a CRL, change to the Revocation lists tab, highlight the CRL to be exported in the overview and click on Export.

  7. In the Revocation list export window, specify a path and file name.

  8. Select PEM as Export format and click on OK to export the CRL.

Troubleshooting

  • Check the system time and date of the computer to ensure the certificates are created with the actual date; otherwise they might be invalid.


1. Certificates have an expiry date. A wrong system time (time and date) is a frequent failure source. Therefore, ensure that the system time of the PC is correct when creating the certificate structure.
2. We strongly recommend to specify a password. Keep this password in mind. You’ll need it every time you want to open the database of this CA project.
3. Select a time range that is reasonable for your purpose. The default values are a good guideline. Too long time ranges may cause security or compatibility problems.
4. You have created a CA certificate template with this. When using this template while creating a CA certificate, the respective fields are initialised with the default values entered here.
5. If the password fields are left empty, no password will be applied.
6. This exports a certificate container containing the certificate, the key and the certificate chain including the CA certificate.
7. If further certificates are revoked after generating the CRL, it must be generated again.