Create Key & Certificate for HTTPS Server using IP on Windows
Introduction
HTTP is a protocol used to enable communication between web browsers and servers. A secure variation of this protocol is HTTPS, which adds encryption to protect data exchanged between the client and the server. This ensures that even if someone intercepts the communication, they cannot understand the transmitted information.
In embedded systems and MCU-based applications, libraries such as mbedTLS are commonly used to implement secure communication. These libraries rely on cryptographic keys and digital certificates.
For production environments, certificates are typically signed by a Certificate Authority (CA), which guarantees their authenticity and allows web browsers to trust the connection. However, when a certificate is generated manually (self-signed), web browsers do not inherently trust it. Despite this, self-signed certificates are a practical option for internal or development use cases, since the communication remains encrypted. Additionally, it is possible to configure client devices to trust these certificates when required.
Download OpenSSL
First, verify whether OpenSSL is installed on your system. If not, it must be downloaded and installed. To check if OpenSSL is already installed, run next line in command prompt:
openssl --version
If the command is not recognized, OpenSSL is not installed. If OpenSSL is not already installed on your system, you can easily find installation instructions by searching the web for your specific operating system. There are many reliable step‑by‑step guides available for Windows, Linux, and macOS that explain how to download, install, and verify OpenSSL properly. Following an up‑to‑date guide for your OS will help ensure the installation is completed correctly and securely.
Preparation
Select a folder where all keys and certificates will be stored. Open a command prompt in this folder and proceed with the following steps.
Create Keys
NOTE: Please replace %%Name%% according to your preference. Create a private key for the Server Certificate
openssl genrsa -out %%KeyName%%.key 2048
Create a private key to simulate Certificate Authority (CA)
openssl genrsa -out %%CAKeyName%%.key 2048
Create Certificate Authority
Generate a self-signed CA certificate:
openssl req -x509 -new -nodes -key %%CAKeyName%%.key -sha256 -days 3650 -out %%CAName%%.crt
Create Server Certificate
Config file to request certificate
Create a configuration file named %%ConfigFileName%%.cnf using the following template, this can be created with Notepad.
[req]
default_bits = 2048
prompt = no
distinguished_name = dn
req_extensions = v3_req
[dn]
C=%%Country%%
ST=%%State%%
L=%%City%%
O=%%Owner%%
OU=%%Division%%
CN=%%CommonName%%
[v3_req]
subjectAltName = @alt_names
[alt_names]
IP.1 = %%ServerIP%%
Generate Certificate Signing Request (CSR)
openssl req -new -key %%KeyName%%.key -out %%CertificateRequestName%%.csr -config %%ConfigFileName%%.cnf
Sign Certificate with simulated CA
openssl x509 -req -in %%CertificateRequestName%%.csr -CA %%CAName%%.crt -CAkey %%CAKeyName%%.key -CAcreateserial -out %%CertificateName%%.crt -days 365 -extensions v3_req -extfile %%ConfigFileName%%.cnf
Prepare to use with mbedTLS
Convert private Key to DER (Distinguished Encoding Rules)
openssl rsa -in %%KeyName%%.key -outform DER -out %%KeyName%%_key.der
Convert Certificate to DER (Distinguished Encoding Rules)
openssl x509 -in %%CertificateName%%.crt -outform DER -out %%CertificateName%%.der
Convert Key DER to array in a source file
xxd -i %%KeyName%%_key.der > %%KeyName%%_key.c
Convert Certificate DER to array in a source file
xxd -i %%CertificateName%%.der > %%CertificateName%%_cert.c
Install CA Certificate (Optional – Avoid Browser Warnings)
To prevent browser warnings, install the CA certificate on the client device (PC, phone, etc.).
Double-click the CA certificate file (.crt).
Click Install Certificate.
Select Local Machine.
Choose Place all certificates in the following store.
Click Browse and select Trusted Root Certification Authorities.
Click Next → Finish.
After this step, the system will trust certificates signed by this CA.
記事全体を表示