Each Aggregator client will be issued a certificate from a common Internal MICA / ICA.
The steps for an OEM to receive an aggregator client certificate are as follows:
- OEM - Generate CSR
- OEM - Submit CSR to DNSP
- DNSP - Verify CSR
- DNSP - Submit CSR to SwitchDin
NOTE: Inclusion of DNS Subject Alternate Name is non compliant with the 2030.5 standard but is supported as optional. Subject should be empty as per the example below.
Step 1: OEM - Generate CSR
Keep the private key used in this process secure.
echo "-- Creating Key Pair"
openssl $pk_alg \
-genkey \
-name $pk_alg_name \
-out private/$client_name.pem
# Export the public key
echo "-- Exporting Public Key"
openssl ec \
-in private/$client_name.pem \
-pubout \
-out public/$client_name.pem
# Create a Certificate Signing Request
echo "-- Creating CSR"
openssl req \
-new \
-key private/$client_name.pem \
-config ./conf/$client_name-client.conf \
-subj "/" \
-out csrs/$client_name.csr
From above the variables are the following:
- pk_alg - "ecparam"
- pk_alg_name - "prime256v1"
The client_name-client.conf is of the following format:
NOTE <hw_type_pen> and <hw_serial> are variables for the requester to replace
# OID base for IEEE 2030 (section 6.11.7.1 in IEEE2030.5 2018)
oid_2030_5 = 1.3.6.1.4.1.40732
# OID for "device types" (section 6.11.7.2 in IEEE2030.5 2018)
oid_dev = $oid_2030_5.1
# Used for most devices
oid_dev_generic = $oid_dev.1
# Used in addition to "generic device type" to identify "mobile" IEEE 2030.5 entities
oid_dev_mobile = $oid_dev.2
# Used in device certs issued post-manufacture
oid_dev_post_manufacture = $oid_dev.3
# OID for 2030.5 Policy Assignments (section 6.11.7.3 in IEEE2030.5 2018)
oid_policy = $oid_2030_5.2
# MUST be included in test certificates
oid_2030_5_policy_test = $oid_policy.1
# MUST be included in IEEE 2030.5 self-signed certificates
oid_2030_5_policy_selfsign = $oid_policy.2
# MUST be included in commercial certificates
oid_2030_5_policy_commercial = $oid_policy.3
# MUST be included in bulk-issued certificates (Priv. Key generated by CA, not by device)
oid_2030_5_policy_bulk = $oid_policy.4
Step 2: OEM - Submit CSR to DNSP
Step 3: OEM / DNSP - Verify CSR
Run this command to view the content of the csr:
openssl req --noout --text --in <name>.csr
This must provide output like one the following examples:
WITHOUT SUBJECT ALTERNATE NAME DNS
Certificate Request:
Data:
Version: 1 (0x0)
Subject:
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:ba:ff:e5:6f:0b:88:2c:6e:6a:65:01:ae:4d:28:
a2:75:e5:5e:69:e4:29:f6:6d:2b:e8:aa:dd:e0:01:
33:bd:f4:fc:68:2a:69:be:ca:b1:0b:0f:a1:8b:9a:
f5:93:41:c2:f6:ed:f8:fc:9c:88:17:37:41:e1:70:
a7:52:67:0f:98
ASN1 OID: prime256v1
NIST CURVE: P-256
Attributes:
Requested Extensions:
X509v3 Certificate Policies: critical
Policy: 1.3.6.1.4.1.40732.1.1
Policy: 1.3.6.1.4.1.40732.2.1
X509v3 Subject Alternative Name: critical
othername: 1.3.6.1.5.5.7.8.4::<unsupported>
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:46:02:21:00:d1:b1:87:04:96:05:a4:ae:ac:e0:a5:52:d7:
71:d5:cf:c2:e8:ba:a5:0c:38:77:32:7c:c8:e2:c7:d6:64:2c:
b3:02:21:00:82:17:c6:e9:05:a4:2e:37:00:4d:98:2a:f4:a9:
59:cf:63:20:04:cd:36:ab:53:9a:86:9e:6d:f9:2e:69:d8:4f
WITH SUBJECT ALTERNATE NAME DNS
Certificate Request:
Data:
Version: 1 (0x0)
Subject:
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:ba:ff:e5:6f:0b:88:2c:6e:6a:65:01:ae:4d:28:
a2:75:e5:5e:69:e4:29:f6:6d:2b:e8:aa:dd:e0:01:
33:bd:f4:fc:68:2a:69:be:ca:b1:0b:0f:a1:8b:9a:
f5:93:41:c2:f6:ed:f8:fc:9c:88:17:37:41:e1:70:
a7:52:67:0f:98
ASN1 OID: prime256v1
NIST CURVE: P-256
Attributes:
Requested Extensions:
X509v3 Certificate Policies: critical
Policy: 1.3.6.1.4.1.40732.1.1
Policy: 1.3.6.1.4.1.40732.2.1
X509v3 Subject Alternative Name: critical
DNS:<SUBJECTALTERNATENAME>, othername: 1.3.6.1.5.5.7.8.4::<unsupported>
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:46:02:21:00:d1:b1:87:04:96:05:a4:ae:ac:e0:a5:52:d7:
71:d5:cf:c2:e8:ba:a5:0c:38:77:32:7c:c8:e2:c7:d6:64:2c:
b3:02:21:00:82:17:c6:e9:05:a4:2e:37:00:4d:98:2a:f4:a9:
59:cf:63:20:04:cd:36:ab:53:9a:86:9e:6d:f9:2e:69:d8:4f
Step 4: DNSP - Submit CSR to SwitchDin
Submit the aggregator client certificate CSR to the SwitchDin Help Centre Portal