Self-Signed Certificate Generation

Self-signed certificates are not recommended to be used in production environments. For production environments, it is advisable to use a trusted certificate issuer. This section outlines a practical way to generate a self-signed certificate for test and demo purposes.

The following instructions show how a self-signed certificate suitable for a NOM environment can be generated using the OpenSSL library. Compatible self-signed certificates, generated using other libraries or online tools also work with NOM.

  1. Ensure the OpenSSL library is installed.

    Commands used in these instructions were tested with OpenSSL 3.1.1. To check the version of OpenSSL, use the following command:

    openssl version
  2. Create self-signed certificate

    Example: to generate a self-signed certificate for common name localhost, which could either be accessed through DNS names of 'localhost.localdomain' or 'my.custom.domain', or with IP addresses of '127.0.0.1' or '192.168.100.5':

    openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
      -subj "/CN=localhost" \
      -addext "subjectAltName = DNS:localhost.localdomain, DNS:my.custom.domain, IP:127.0.0.1, IP:192.168.100.5" \
      -addext "keyUsage = critical, digitalSignature, keyEncipherment" \
      -addext "extendedKeyUsage = serverAuth" \
      -addext "authorityKeyIdentifier = keyid:always,issuer:always" \
      -keyout "server.key" \
      -out "server.cer"

    As a result, files server.key and server.cer are created in the current directory.

    Important parameters:

    • -subj "…​": use to specify the common name

    • -addext "subjectAltName = …​": use to specify alternative DNS name(s) and/or IP address(es)

  3. Convert the generated certificate to the PFX format, specifying a password for the certificate store generated in server.pfx:

    openssl pkcs12 -export \
      -inkey "server.key" \
      -in "server.cer" \
      -out "server.pfx" \
      -password "pass:changeit"

To avoid specifying the store password on the command line, omit the -password option in the previous command to have OpenSSL ask for the password interactively.

You can then use the files server.cer and server.pfx to configure the server and agents for TLS encrypted communication.