Ssl Certificates - Siemens RUGGEDCOM ROS v4.3 User Manual

Chapter 1
Introduction
• Immediately after boot, RUGGEDCOM ROS will start to generate a unique SSL certificate and SSH key pair, and
save each one to its corresponding flash file. This process may take several minutes to complete. As each one is
created, the corresponding service is immediately restarted with the new keys.
• At any time during the key generation process, custom keys can be uploaded. The custom keys will take
precedence over both the default and auto-generated keys.
• On subsequent boot, if there is a valid ssl.crt file, the default certificate will not be used for SSL. If there is a
valid ssh.keys file, the default SSH key will not be used.
• At any time, new keys may be uploaded or generated by RUGGEDCOM ROS using the sslkeygen or
sshkeygen CLI commands.
CONTENTS
• Section 1.2.2.1, "SSL Certificates"
• Section 1.2.2.2, "SSH Key Pairs"
Section 1.2.2.1

SSL Certificates

RUGGEDCOM ROS supports SSL certificates that conform to the following specifications:
• X.509 v3 digital certificate format
• PEM format
• For RUGGEDCOM ROS Controlled verions: RSA key pair, 1024, 2048 or 3072 bits; or EC 256, 384 or 521 bits
• For RUGGEDCOM ROS Non-Controlled (NC) verions: RSA key pair, 512 to 2048 bits
The RSA key pair used in the default certificate and in those generated by RUGGEDCOM ROS uses a public key of
1024 bits in length.
NOTE
RSA keys smaller than 2048 bits in length are not recommended. Support is only included here for
compatibility with legacy equipment.
NOTE
The default certificate and keys are common to all RUGGEDCOM ROS versions without a certificate or
key files. That is why it is important to either allow the key auto-generation to complete or to provision
custom keys. In this way, one has at least unique, and at best, traceable and verifiable keys installed
when establishing secure communication with the unit.
NOTE
RSA key generation times increase depending on the key length. 1024 bit RSA keys may take several
minutes to generate, whereas 2048 bit keys may take significantly longer. A typical modern PC system,
however, can generate these keys in seconds.
The following (bash) shell script fragment uses the openssl command line utility to generate a self-signed X.509
v3 SSL certificate with a 1024 bit RSA key suitable for use in RUGGEDCOM ROS. Note that two standard PEM files
are required: the SSL certificate and the RSA private key file. These are concatenated into the resulting ssl.crt
file, which may then be uploaded to RUGGEDCOM ROS:
# RSA key size:
BITS=1024
# 20 years validity:
6
RUGGEDCOM ROS
User Guide
SSL Certificates