Summary

A scripted method of creating the Switch certificate files instead of using Tachyon Setup or the Certificate Manager tool.

The Switch certificate files are use by a Switch to validate secure communications between it and other Tachyon components and Tachyon agents. 

FileDescription
<computername>.cer

Where <computername> is the hostname of the server where the Tachyon Web Server and Switch is installed.

This file contains:

  • The public key of the Tachyon Web Server certificate, which will be used by the Switch.
<computername>.key

Where <computername> is the hostname of the server where the Tachyon Web Server and Switch is installed.

This file contains:

  • The private key of the Tachyon Web Server certificate, which will be used by the Switch.

The key is not encrypted with a passphrase (it does not have a password). Therefore this file should be protected as described in Services and NTFS Security.

cacert.pem

The Switch uses this file to validate the certification paths (trust chains) for all the components it communicates with.

This file contains a list of CA public keys:

  • For the Tachyon Web Server:
      • The public keys for all the intermediate CAs, up to and including the Root CA, in the Tachyon Web Server certificate’s certification path.
  • For the Tachyon Agent devices:
      • All the public keys for all the intermediate CAs, up to and including the Root CAs, for each of the Tachyon Agent device certificate’s certification paths.
      • Should also include the old keys of any CA in any of the certification paths that has had its certificate renewed or re-issued, because Agent devices may still be using the old trust certificates.

The prerequisite is the Web Server certificate must already have been imported into the Tachyon Server's local computer Personal Certificates store.


On this page:

Export the Tachyon Web Server Certificate

The Tachyon Web Server Certificate must be first exported as a PFX file. It can then be processed into separate files to enable the Tachyon Server installer to integrate the certificate and key with the Tachyon Switch.

The example shows the simplest method of doing this on the actual Tachyon Server. It is possible to create the certificate and export the files remotely.

  1. The Tachyon Server installation files include a zip called Tachyon-OpenSSL.zip.  Extract the zip files into a folder for later use when exporting the certificate.
  2. Start mmc and add the Certificates snap-in to manage certificate for the Computer account on the Local computer
     
  3. In the added snap-in, navigate to Certificates (Local Computer) -> Personal -> Certificates.

    • Right-click on the Tachyon Certificate, created earlier, to display the context-menu.
    • Select the option All Tasks->Export...
  4. The Certificate Export Wizard will be displayed. Click Next on the Welcome page and on the Export Private Key page select the Yes, export the private key option, as shown in the following picture. Click Next to continue.
     
  5. On the Export File Format page ensure the Personal Information Exchange - PKCS #12 (.PFX) option is selected and the Include all certificates in the certification path if possible is selected, and also select the Export all extended properties option, as shown in the following picture. Click Next to continue.
  6. On the Security screen enter a Password that will be used when processing the exported certificate using the OpenSSL command-lines, as shown in the following picture. The password must be secure because it protects the private key of the certificate. Click Next to continue.  
  7. On the File to Export page set a name for the file and select to save it to a safe folder. In our example, for expediency, we just use the folder where the OpenSSL files are located and name the file TACHYONCERT.pfx, as shown in the following picture. Click Next to continue.
  8. The Completing the Certificate Export Wizard page provides a summary of the export settings. Click Finish to complete the export.
  9. Click OK to close the 'export was successful' popup.
  10. After exporting you should have the exported pfx file in the directory where your OpenSSL files are located, as shown in the following picture.

 

Use OpenSSL tools to create the .CER and .KEY files

OpenSSL binary files are contained in release zip file, available for download from one of the sites listed on the OpenSSL wiki, e.g

https://indy.fulgan.com/SSL/

Note that neither OpenSSL nor 1E endorse the site or its owner in any way.

Testing these commands was performed with version 0.9.8k but later versions should also be suitable.

When running the commands below you can ignore warning messages that the config file openssl.cnf could not be opened. The .cnf file is not required for these commands.

  1. Open a command-prompt in the OpenSSL directory. The first command creates a <computername>.cer file from the TachyonCert.pfx file. In our example the command-line for this is:

    openssl pkcs12 -in TachyonCert.pfx -clcerts -nokeys -out %computername%.cer

    When the command is run you will be prompted to Enter Import Password. Enter the secure password that you set when exporting the Tachyon Switch certificate.


  2. The second command extracts the encrypted key from the TachyonCert.pfx file. In our example the command-line for this is:

    openssl pkcs12 -in TachyonCert.pfx -nocerts -out TachyonCert-encrypted.key

    When the command is run you will be prompted to Enter Import Password. Enter the password that you set when exporting the Tachyon Switch certificate.

    You will also be prompted to enter and verify a PEM pass phrase that will be used in the next command-line to process the encrypted key output of this one. The PEM pass phrase does not need to be secure because the encrypted.key file will be deleted in a later step.


  3. The third command-line processes the encrypted key and creates a <computername> .key so that it can be used by the Tachyon Switch. In our example the command-line for this is:

    openssl rsa -in TachyonCert-encrypted.key -out %computername%.key

    When this command is run you will be prompted for the PEM pass phrase used in the previous command, the following picture shows the screen output from running the three command-lines:

  4. Once the TachyonCert.key file has been created you can safely delete the intermediate encrypted key file called: TachyonCert-encrypted.key.

  5. At this point you will have two new files in your OpenSSL directory:

    <computername>.cer
    <computername>.key

    For example:

    ACME-CM12.cer
    ACME-CM12.key

    The following picture shows the current contents of the OpenSSL directory.

  6. Finally, the TACHYONCERT.pfx file can be optionally deleted or moved to a safe place.

 

Export the Trusted Root Certificates to create the CACERT.pem file

The following describes how to export the Trusted Root Certificate and create a .pem file. The file must be exported in Base-64 encoded X.509 format, and the exported file must be renamed to use the .pem file extension.

The Tachyon Switch requires a file named CACERT.pem which contains a list of public keys.

For a device certificate to be trusted by the Switch, the CACERT.pem file must contain the public key of the CA that issued the device's certificate and each CA in the certificate's trust chain, including intermediates. As well as the latest keys, the pem file should also include old keys of any CA that has had its certificate renewed or reissued, because devices may still be using the old trust certificates. Devices include any Tachyon web server and any Tachyon Agent device.

You should export each relevant CA certificate individually and manually append it to the CACERT .pem file.

 

 

  1. In the Certficates->Trusted Root Certification Authorities->Certificates folder window right-click on the CA root certificate, and select All Tasks->Export... option from the context-menu, as shown in the following picture.
     
  2. In the Certificate Export Wizard, skip past the Welcome page by clicking Next and on the Export File Format page select the Base-64 encoded X.509 (.CER) option, as shown in the following picture. Click Next to continue.
     
  3. On the File to Export screen select to save the file in your OpenSSL directory using the file name CACERT.cer, as shown in the following picture. Click Next to continue.
     
  4. The Completing the Certificate Export Wizard page provides a summary of the export settings. Click Finish to complete the export, then click OK to close the confirmation popup.
  5. Your OpenSSL folder will then contain a new file name CACERT.cer, you will need to rename this to CACERT.pem

 

Manually adding Public Keys to the PEM file

The CACERT.PEM file created by the above procedure contains the public key of the CA Root Certificate. This is sufficient if that is the only CA in the environment.

If your Tachyon web server certificate was issued by a subordinate CA, then the PEM file must also contain the public key of that CA, and for any other CA in the certificate's Certification Path (also known as the trust chain).

Further, the PEM file must contain the public key of each CA in the trust chain of certificates used by client devices.

Do not delete old keys from the PEM file. You need to include old keys of any CA that has had its certificate renewed or reissued, because devices may still be using the old trust certificates.

  1. On a Windows client device, start mmc.
  2. Add the Certificates snap-in to manage certificate for the Computer account on the Local computer.
  3. In the added snap-in, navigate to Certificates (Local Computer) -> Personal -> Certificates.
  4. Double-click on the certificate used for Client Authentication, to open the certificate.
  5. Click on the Certification Path tab.

  6. For each CA in the certificate's trust path, starting at the lowest, the one nearest to the client device, and walking up the path to the Root CA.
  7. Double-click on the nearest CA, to open the CA certificate. In our example this is the ACMEUSCA CA.

  8. Click on the Details tab.
     
  9. Click on Copy to File...
  10. On the Certificate Export Wizard dialog, click Next
  11. On the Export File Format screen, select Base-64 encoded X.509 (.CER) and click Next.
  12. Enter the path and file name of the CER file, and click Next. (tip: use the same name as the CA)
  13. Click Finish.
  14. On the export was successful popup, click OK.
  15. Click OK to close the CA certificate.
  16. Locate the exported CER file, and copy it to the Tachyon Server
  17. On the Tachyon Server, use notepad to open the CER file and the PEM file, and copy the contents of the CER file (the CA public key) into the PEM file and save.

  18. Repeat for each CA until you have you have included the Root CA. You should avoid duplicating keys.  You can insert comments between the line -----END CERTIFICATE----- and -----BEGIN CERTIFICATE-----.

 

To open the certificate of the next CA in the trust path next, you can either:

  • keep the CA certificate open, and switch to the Certification Path tab and select the next CA
  • close the CA certificate, return to the device certificate Certification Path tab and select the next CA