Self-Signed Certificate Generation
Self-signed certificates are not recommended to be used in production environments. For production environments, it is advisable to use a trusted certificate issuer. This section outlines a practical way to generate a self-signed certificate for test and demo purposes.
The following instructions show how a self-signed certificate suitable for a NOM environment can be generated using the OpenSSL library. Compatible self-signed certificates, generated using other libraries or online tools also work with NOM.
Ensure the OpenSSL library is installed.
Commands used in these instructions were tested with OpenSSL 3.1.1. To check the version of OpenSSL, use the following command:
Create self-signed certificate
Example: to generate a self-signed certificate for common name
localhost, which could either be accessed through DNS names of 'localhost.localdomain' or 'my.custom.domain', or with IP addresses of '127.0.0.1' or '192.168.100.5':
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -subj "/CN=localhost" \ -addext "subjectAltName = DNS:localhost.localdomain, DNS:my.custom.domain, IP:127.0.0.1, IP:192.168.100.5" \ -addext "keyUsage = critical, digitalSignature, keyEncipherment" \ -addext "extendedKeyUsage = serverAuth" \ -addext "authorityKeyIdentifier = keyid:always,issuer:always" \ -keyout "server.key" \ -out "server.cer"
As a result, files
server.cerare created in the current directory.
-subj "…": use to specify the common name
-addext "subjectAltName = …": use to specify alternative DNS name(s) and/or IP address(es)
Convert the generated certificate to the PFX format, specifying a password for the certificate store generated in
openssl pkcs12 -export \ -inkey "server.key" \ -in "server.cer" \ -out "server.pfx" \ -password "pass:changeit"
To avoid specifying the store password on the command line, omit the
You can then use the files
server.pfx to configure the server and agents for TLS encrypted communication.
Was this page helpful?