Private keys and self-signed certificates can, of course, also be generated with OpenSSL. Please note that both have to be created in DER format (binary format). There are several ways to create these files.

We first generate an RSA private key with the command “openssl genrsa”, with a length of 4096 bits:

# openssl genrsa -out privkey.pem 4096
# 

Note: The file is created in PEM format.

We recommend protecting the private key file with a password. For this purpose, you can use the AES192 cipher with the additional option “-aes192“:

# openssl genrsa -out privkey.pem -aes192 4096
Enter PEM pass phrase: XXXXXXXX
Verifying - Enter PEM pass phrase: XXXXXXXX
#

For use by Trusted Execution, the private key file must be converted to the binary DER format. This can be done using the “openssl rsa” command. Here, we only demonstrate the conversion to DER, assigning a password for the new private key file in DER format:

# openssl rsa -in privkey.pem -outform DER -out privkey.der -aes192
Enter pass phrase for privkey.e.pem: XXXXXXXX
writing RSA key
Enter pass phrase: YYYYYYYY
Verifying - Enter pass phrase: YYYYYYYY
# 

Note: If the private key file is to be created without a password, the “-aes192” option must be omitted. Instead of AES192, other supported ciphers can also be used for encryption.

The first query for a passphrase only appears, if the private key file to be converted was protected with a password.

The self-signed certificate can be generated using the generated private key. The option “-outform DER” is important so that the certificate is generated directly in binary DER format:

# openssl req -new -x509 -key privkey.der -outform DER -out cert.der -days 365
Enter pass phrase for privkey.der:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bavaria
Locality Name (eg, city) []:Munich
Organization Name (eg, company) [Internet Widgits Pty Ltd]:PowerCampuse 01
Organizational Unit Name (eg, section) []:AIX
Common Name (e.g. server FQDN or YOUR name) []:Security
Email Address []:
# 

Note: The query for the passphrase only appears if the specified private key file is protected by a password.

The self-signed certificate generated in the example is valid for 365 days.

The private key and certificate can then be used to add your own files to the TSD. The private key is then used to generate the signature for the files.